security_selinux: Play nicely with network FS that only emulates SELinux

There are some network file systems that do support XATTRs (e.g. gluster via FUSE). And they appear to support SELinux too. However, not really. Problem is, that it is impossible to change SELinux label of a file stored there, and yet we claim success (rightfully - hypervisor succeeds in opening the file). But this creates a problem for us - from XATTR bookkeeping POV, we haven't changed the label and thus if we remembered any label, we must roll back and remove it. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2024-07-30 13:37:17 +00:00 · 2019-08-22 16:34:02 +02:00 · 2019-08-22 16:34:02 +02:00 · 8fe953805a
commit 8fe953805a
parent eaa2a064fa
1 changed files with 8 additions and 2 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1384,12 +1384,18 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
        }
    }

-    if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
+    rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged);
+    if (rc < 0)
        goto cleanup;

+    /* Do not try restoring the label if it was not changed
+     * (setting it failed in a non-critical fashion) */
+    if (rc == 0)
+        rollback = false;
+
    ret = 0;
 cleanup:
-    if (ret < 0 && rollback) {
+    if (rollback) {
        virErrorPtr origerr;

        virErrorPreserveLast(&origerr);