[libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set
Michal Privoznik
mprivozn at redhat.com
Fri Sep 9 07:34:20 UTC 2011
On 09.09.2011 09:24, Daniel Veillard wrote:
> On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
>> If we fail setting label on a file and this file is on NFS share,
>> it is wise to advise user to set virt_use_nfs selinux boolean
>> variable.
>> ---
>> src/security/security_selinux.c | 11 ++++++++++-
>> 1 files changed, 10 insertions(+), 1 deletions(-)
>>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index ca54f9b..028f5b2 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
>> * virt_use_{nfs,usb,pci} boolean tunables to allow it...
>> */
>> if (setfilecon_errno != EOPNOTSUPP) {
>> + const char *errmsg;
>> + if ((virStorageFileIsSharedFSType(path,
>> + VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
>> + security_get_boolean_active("virt_use_nfs") != 1) {
>> + errmsg = _("unable to set security context '%s' on '%s'. "
>> + "Consider setting virt_use_nfs");
>> + } else {
>> + errmsg = _("unable to set security context '%s' on '%s'");
>> + }
>> virReportSystemError(setfilecon_errno,
>> - _("unable to set security context '%s' on '%s'"),
>> + errmsg,
>> tcon, path);
>> if (security_getenforce() == 1)
>> return -1;
>
> I like this, definitely a usability enhancement (for a specific case)
>
> ACK
>
> Daniel
>
Thanks, pushed.
Michal
More information about the libvir-list
mailing list