[libvirt] [PATCH] ignore SELinuxSetFilecon error in SELinuxSetSecurityFileLabel if on nfs

Laine Stump laine at laine.org
Thu Nov 11 17:20:56 UTC 2010


On 11/10/2010 03:35 PM, Eric Blake wrote:
> On 11/10/2010 12:52 PM, Laine Stump wrote:
>> If virDomainAttachDevice() was called with an image that was located
>> on a root-squashed NFS server, and in a directory that was unreadable
>> by root on the machine running libvirtd, the attach would fail due to
>> an attempt to change the selinux label of the image with EACCES (which
>> isn't covered as an ignore case in SELinuxSetFilecon())
>>
>> NFS doesn't support SELinux labelling anyway, so we mimic the failure
>> handling of commit 93a18bbafaf11729d3ca1241e11bee133d77fa77, which
>> just ignores the errors if the target is on an NFS filesystem (in
>> SELinuxSetSecurityAllLabel() only, though.)
>>
>> +    if (ret<  0&&
>> +        virStorageFileIsSharedFSType(path,
>> +                                     VIR_STORAGE_FILE_SHFS_NFS) != 1)
>> +       return ret;
>> +    else
>> +       return 0;
> I had to scratch my head on this one.  It might be easier to read as:
>
> if (ret<  0&&
>      virStorageFileIsSharedFSType(path, VIR_STORAGE_FILE_SHFS_NFS) == 1)
>      return 0;
> return ret;
>
> ACK, with that tweak.
>

Heh. The power of cut-paste - I had pasted the call to 
virStorageFileIsSharedFSType() from another use further down the file, 
and it used != 1. Since I was already thinking in that mode, it easily 
made sense to me, but coming from the outside it does seem simpler your way.

I pushed after making your change, as well as changing both occurences 
of "return 0" to "ret = 0" so that the function now has only a single 
exit point.





More information about the libvir-list mailing list