mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
selinux: Swap two blocks handling setfilecon_raw() failure
In virSecuritySELinuxSetFileconImpl() we have code that handles setfilecon_raw() failure. The code consists of two blocks: one for dealing with shared filesystem like NFS (errno is ENOTSUP or EROFS) and the other block that's dealing with EPERM for privileged daemon. Well, the order of these two blocks is a bit confusing because the comment above them mentions the NFS case but EPERM block follows. Swap these two blocks to make it less confusing. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
parent
029a892abd
commit
466920ea1d
@ -1261,22 +1261,9 @@ virSecuritySELinuxSetFileconImpl(const char *path,
|
||||
* boolean tunables to allow it ...
|
||||
*/
|
||||
VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
|
||||
if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
|
||||
setfilecon_errno != EROFS) {
|
||||
if (setfilecon_errno == EOPNOTSUPP || setfilecon_errno == ENOTSUP ||
|
||||
setfilecon_errno == EROFS) {
|
||||
VIR_WARNINGS_RESET
|
||||
/* However, don't claim error if SELinux is in Enforcing mode and
|
||||
* we are running as unprivileged user and we really did see EPERM.
|
||||
* Otherwise we want to return error if SELinux is Enforcing. */
|
||||
if (security_getenforce() == 1 &&
|
||||
(setfilecon_errno != EPERM || privileged)) {
|
||||
virReportSystemError(setfilecon_errno,
|
||||
_("unable to set security context '%s' on '%s'"),
|
||||
tcon, path);
|
||||
return -1;
|
||||
}
|
||||
VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
|
||||
tcon, path, setfilecon_errno);
|
||||
} else {
|
||||
const char *msg;
|
||||
if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&
|
||||
security_get_boolean_active("virt_use_nfs") != 1) {
|
||||
@ -1290,6 +1277,19 @@ virSecuritySELinuxSetFileconImpl(const char *path,
|
||||
VIR_INFO("Setting security context '%s' on '%s' not supported",
|
||||
tcon, path);
|
||||
}
|
||||
} else {
|
||||
/* However, don't claim error if SELinux is in Enforcing mode and
|
||||
* we are running as unprivileged user and we really did see EPERM.
|
||||
* Otherwise we want to return error if SELinux is Enforcing. */
|
||||
if (security_getenforce() == 1 &&
|
||||
(setfilecon_errno != EPERM || privileged)) {
|
||||
virReportSystemError(setfilecon_errno,
|
||||
_("unable to set security context '%s' on '%s'"),
|
||||
tcon, path);
|
||||
return -1;
|
||||
}
|
||||
VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
|
||||
tcon, path, setfilecon_errno);
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
Loading…
Reference in New Issue
Block a user