[libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set
Michal Privoznik
mprivozn at redhat.com
Thu Sep 8 16:26:05 UTC 2011
If we fail setting label on a file and this file is on NFS share,
it is wise to advise user to set virt_use_nfs selinux boolean
variable.
---
src/security/security_selinux.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ca54f9b..028f5b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
*/
if (setfilecon_errno != EOPNOTSUPP) {
+ const char *errmsg;
+ if ((virStorageFileIsSharedFSType(path,
+ VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
+ security_get_boolean_active("virt_use_nfs") != 1) {
+ errmsg = _("unable to set security context '%s' on '%s'. "
+ "Consider setting virt_use_nfs");
+ } else {
+ errmsg = _("unable to set security context '%s' on '%s'");
+ }
virReportSystemError(setfilecon_errno,
- _("unable to set security context '%s' on '%s'"),
+ errmsg,
tcon, path);
if (security_getenforce() == 1)
return -1;
--
1.7.3.4
More information about the libvir-list
mailing list