[PATCH 2/2] selinux: Don't ignore ENOENT in Permissive mode
Michal Privoznik
mprivozn at redhat.com
Mon Sep 20 11:31:19 UTC 2021
In selinux driver there's virSecuritySELinuxSetFileconImpl()
which is responsible for actual setting of SELinux label on given
file and handling possible failures. In fhe failure handling code
we decide whether failure is fatal or not. But there is a bug:
depending on SELinux mode (Permissive vs. Enforcing) the ENOENT
is either ignored or considered fatal. This not correct - ENOENT
must always be fatal - QEMU will fail opening it anyways.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2004850
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
src/security/security_selinux.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 050acee2b0..7e8c4fb4f2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1283,9 +1283,11 @@ virSecuritySELinuxSetFileconImpl(const char *path,
} else {
/* However, don't claim error if SELinux is in Enforcing mode and
* we are running as unprivileged user and we really did see EPERM.
- * Otherwise we want to return error if SELinux is Enforcing. */
- if (security_getenforce() == 1 &&
- (setfilecon_errno != EPERM || privileged)) {
+ * Otherwise we want to return error if SELinux is Enforcing, or we
+ * saw EPERM regardless of SELinux mode. */
+ if (setfilecon_errno == ENOENT ||
+ (security_getenforce() == 1 &&
+ (setfilecon_errno != EPERM || privileged))) {
virReportSystemError(setfilecon_errno,
_("unable to set security context '%s' on '%s'"),
tcon, path);
--
2.32.0
More information about the libvir-list
mailing list