[libvirt] [PATCH] selinux: Correctly report warning if virt_use_nfs not set
Previous patch c9b37fee tried to deal with virt_use_nfs. But setfilecon() returns EOPNOTSUPP on NFS so we need to move the warning to else branch. --- src/security/security_selinux.c | 27 +++++++++++++++------------ 1 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 028f5b2..9a9a305 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -420,23 +420,26 @@ SELinuxSetFilecon(const char *path, char *tcon) * virt_use_{nfs,usb,pci} boolean tunables to allow it... */ if (setfilecon_errno != EOPNOTSUPP) { - const char *errmsg; - if ((virStorageFileIsSharedFSType(path, - VIR_STORAGE_FILE_SHFS_NFS) == 1) && - security_get_boolean_active("virt_use_nfs") != 1) { - errmsg = _("unable to set security context '%s' on '%s'. " - "Consider setting virt_use_nfs"); - } else { - errmsg = _("unable to set security context '%s' on '%s'"); - } virReportSystemError(setfilecon_errno, - errmsg, + _("unable to set security context '%s' on '%s'"), tcon, path); if (security_getenforce() == 1) return -1; } else { - VIR_INFO("Setting security context '%s' on '%s' not supported", - tcon, path); + const char *msg; + if ((virStorageFileIsSharedFSType(path, + VIR_STORAGE_FILE_SHFS_NFS) == 1) && + security_get_boolean_active("virt_use_nfs") != 1) { + msg = _("Setting security context '%s' on '%s' not supported. " + "Consider setting virt_use_nfs"); + if (security_getenforce() == 1) + VIR_WARN(msg, tcon, path); + else + VIR_INFO(msg, tcon, path); + } else { + VIR_INFO(_("Setting security context '%s' " + "on '%s' not supported"), tcon, path); + } } } return 0; -- 1.7.3.4
On 09/22/2011 05:48 AM, Michal Privoznik wrote:
Previous patch c9b37fee tried to deal with virt_use_nfs. But setfilecon() returns EOPNOTSUPP on NFS so we need to move the warning to else branch.
I have a vague memory of the error code of something like this changing from some other error on an older version of RHEL to EOPNOTSUPP on newer version. It may have been for something else, but may be worth checking out to make sure this patch gives the desired results with, e.g. RHEL5 and RHEL6.0 as well as 6.2 and Fedora.
--- src/security/security_selinux.c | 27 +++++++++++++++------------ 1 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 028f5b2..9a9a305 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -420,23 +420,26 @@ SELinuxSetFilecon(const char *path, char *tcon) * virt_use_{nfs,usb,pci} boolean tunables to allow it... */ if (setfilecon_errno != EOPNOTSUPP) { - const char *errmsg; - if ((virStorageFileIsSharedFSType(path, - VIR_STORAGE_FILE_SHFS_NFS) == 1)&& - security_get_boolean_active("virt_use_nfs") != 1) { - errmsg = _("unable to set security context '%s' on '%s'. " - "Consider setting virt_use_nfs"); - } else { - errmsg = _("unable to set security context '%s' on '%s'"); - } virReportSystemError(setfilecon_errno, - errmsg, + _("unable to set security context '%s' on '%s'"), tcon, path); if (security_getenforce() == 1) return -1; } else { - VIR_INFO("Setting security context '%s' on '%s' not supported", - tcon, path); + const char *msg; + if ((virStorageFileIsSharedFSType(path, + VIR_STORAGE_FILE_SHFS_NFS) == 1)&& + security_get_boolean_active("virt_use_nfs") != 1) { + msg = _("Setting security context '%s' on '%s' not supported. " + "Consider setting virt_use_nfs"); + if (security_getenforce() == 1) + VIR_WARN(msg, tcon, path); + else + VIR_INFO(msg, tcon, path); + } else { + VIR_INFO(_("Setting security context '%s' " + "on '%s' not supported"), tcon, path); + }
You could turn this into an if () { ... } else if () { ... } else { ... } (ie, remove the extra nesting level of the new addition). I can live with it either way, though, so ACK.
} } return 0;
On 22.09.2011 18:56, Laine Stump wrote:
On 09/22/2011 05:48 AM, Michal Privoznik wrote:
Previous patch c9b37fee tried to deal with virt_use_nfs. But setfilecon() returns EOPNOTSUPP on NFS so we need to move the warning to else branch.
I have a vague memory of the error code of something like this changing from some other error on an older version of RHEL to EOPNOTSUPP on newer version. It may have been for something else, but may be worth checking out to make sure this patch gives the desired results with, e.g. RHEL5 and RHEL6.0 as well as 6.2 and Fedora.
Thanks. Pushed with this squashed in: diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 9a9a305..19ca801 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -419,7 +419,7 @@ SELinuxSetFilecon(const char *path, char *tcon) * The user hopefully set one of the necessary SELinux * virt_use_{nfs,usb,pci} boolean tunables to allow it... */ - if (setfilecon_errno != EOPNOTSUPP) { + if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) { virReportSystemError(setfilecon_errno, _("unable to set security context '%s' on '%s'"), tcon, path);
On 09/22/2011 03:48 AM, Michal Privoznik wrote:
Previous patch c9b37fee tried to deal with virt_use_nfs. But setfilecon() returns EOPNOTSUPP on NFS so we need to move the warning to else branch. --- src/security/security_selinux.c | 27 +++++++++++++++------------ 1 files changed, 15 insertions(+), 12 deletions(-)
ACK. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
participants (3)
-
Eric Blake -
Laine Stump -
Michal Privoznik