[libvirt] [PATCH] qemuProcessStart: Be tolerant to relabel errors for session mode
John Ferlan
jferlan at redhat.com
Mon Jul 20 13:44:40 UTC 2015
On 07/15/2015 09:02 AM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1124841
>
> When the daemon is running under unprivileged user, that is under
> qemu:///session, there are plenty of operations we can't do. What
> we can do is to go with best effort. One of such cases is
> relabeling domain resources (be it disks, sockets, regular files,
> etc.) during domain startup process. While we may successfully set
> DAC labels, we can be fairly certain that any attempt to change
> SELinux labels will fail. Therefore we should tolerate relabelling
> errors and just let qemu to try access the resources. If it fails,
> our error reporting system is strong enough to articulate the
> exact error to the user anyway.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/qemu/qemu_process.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 1c0c734..58ed631 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -4856,8 +4856,13 @@ int qemuProcessStart(virConnectPtr conn,
>
> VIR_DEBUG("Setting domain security labels");
> if (virSecurityManagerSetAllLabel(driver->securityManager,
> - vm->def, stdin_path) < 0)
> - goto cleanup;
> + vm->def, stdin_path) < 0) {
> + /* Be tolerant to relabel errors if we are running unprivileged. */
> + if (virQEMUDriverIsPrivileged(driver))
> + goto cleanup;
> + else
> + VIR_DEBUG("Ignoring relabel errors for unprivileged daemon");
How about just
if (cond)
goto
VIR_DEBUG(or WARN)
virResetLastError()
Otherwise, seems reasonable in principal, so ACK
John
> + }
>
> /* Security manager labeled all devices, therefore
> * if any operation from now on fails and we goto cleanup,
>
More information about the libvir-list
mailing list