[libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set
Daniel Veillard
veillard at redhat.com
Fri Sep 9 07:24:32 UTC 2011
On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
> If we fail setting label on a file and this file is on NFS share,
> it is wise to advise user to set virt_use_nfs selinux boolean
> variable.
> ---
> src/security/security_selinux.c | 11 ++++++++++-
> 1 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index ca54f9b..028f5b2 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
> * virt_use_{nfs,usb,pci} boolean tunables to allow it...
> */
> if (setfilecon_errno != EOPNOTSUPP) {
> + const char *errmsg;
> + if ((virStorageFileIsSharedFSType(path,
> + VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
> + security_get_boolean_active("virt_use_nfs") != 1) {
> + errmsg = _("unable to set security context '%s' on '%s'. "
> + "Consider setting virt_use_nfs");
> + } else {
> + errmsg = _("unable to set security context '%s' on '%s'");
> + }
> virReportSystemError(setfilecon_errno,
> - _("unable to set security context '%s' on '%s'"),
> + errmsg,
> tcon, path);
> if (security_getenforce() == 1)
> return -1;
I like this, definitely a usability enhancement (for a specific case)
ACK
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list