mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 22:55:23 +00:00
virSecuritySELinuxSetFileconHelper: Don't fail on read-only NFS
https://bugzilla.redhat.com/show_bug.cgi?id=996543 When starting up a domain, the SELinux labeling is done depending on current configuration. If the labeling fails we check for possible causes, as not all labeling failures are fatal. For example, if the labeled file is on NFS which lacks SELinux support, the file can still be readable to qemu process. These cases are distinguished by the errno code: NFS without SELinux support returns EOPNOTSUPP. However, we were missing one scenario. In case there's a read-only disk on a read-only NFS (and possibly any FS) and the labeling is just optional (not explicitly requested in the XML) there's no need to make the labeling error fatal. In other words, read-only file on read-only NFS can fail to be labeled, but be readable at the same time. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
42358e3a0a
commit
d1fdecb624
@ -896,13 +896,14 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
|
|||||||
freecon(econ);
|
freecon(econ);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* if the error complaint is related to an image hosted on
|
/* If the error complaint is related to an image hosted on a (possibly
|
||||||
* an nfs mount, or a usbfs/sysfs filesystem not supporting
|
* read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
|
||||||
* labelling, then just ignore it & hope for the best.
|
* labelling, then just ignore it & hope for the best. The user
|
||||||
* The user hopefully set one of the necessary SELinux
|
* hopefully sets one of the necessary SELinux virt_use_{nfs,usb,pci}
|
||||||
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
* boolean tunables to allow it ...
|
||||||
*/
|
*/
|
||||||
if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
|
if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
|
||||||
|
setfilecon_errno != EROFS) {
|
||||||
virReportSystemError(setfilecon_errno,
|
virReportSystemError(setfilecon_errno,
|
||||||
_("unable to set security context '%s' on '%s'"),
|
_("unable to set security context '%s' on '%s'"),
|
||||||
tcon, path);
|
tcon, path);
|
||||||
|
Loading…
Reference in New Issue
Block a user