[libvirt] [PATCH] qemuProcessStart: Be tolerant to relabel errors for session mode

John Ferlan jferlan at redhat.com
Mon Jul 20 13:44:40 UTC 2015



On 07/15/2015 09:02 AM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1124841
> 
> When the daemon is running under unprivileged user, that is under
> qemu:///session, there are plenty of operations we can't do. What
> we can do is to go with best effort. One of such cases is
> relabeling domain resources (be it disks, sockets, regular files,
> etc.) during domain startup process. While we may successfully set
> DAC labels, we can be fairly certain that any attempt to change
> SELinux labels will fail. Therefore we should tolerate relabelling
> errors and just let qemu to try access the resources. If it fails,
> our error reporting system is strong enough to articulate the
> exact error to the user anyway.
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/qemu/qemu_process.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 1c0c734..58ed631 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -4856,8 +4856,13 @@ int qemuProcessStart(virConnectPtr conn,
>  
>      VIR_DEBUG("Setting domain security labels");
>      if (virSecurityManagerSetAllLabel(driver->securityManager,
> -                                      vm->def, stdin_path) < 0)
> -        goto cleanup;
> +                                      vm->def, stdin_path) < 0) {
> +        /* Be tolerant to relabel errors if we are running unprivileged. */
> +        if (virQEMUDriverIsPrivileged(driver))
> +            goto cleanup;
> +        else
> +            VIR_DEBUG("Ignoring relabel errors for unprivileged daemon");

How about just

if (cond)
   goto

VIR_DEBUG(or WARN)
virResetLastError()

Otherwise, seems reasonable in principal, so ACK

John
> +    }
>  
>      /* Security manager labeled all devices, therefore
>       * if any operation from now on fails and we goto cleanup,
> 




More information about the libvir-list mailing list