|
 |
c401cc |
From 0b6a5202f6bb5fa998026786800a8e2470aceed5 Mon Sep 17 00:00:00 2001
|
|
|
c401cc |
Message-Id: <0b6a5202f6bb5fa998026786800a8e2470aceed5.1390394206.git.jdenemar@redhat.com>
|
|
|
c401cc |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
c401cc |
Date: Fri, 17 Jan 2014 14:07:57 +0100
|
|
|
c401cc |
Subject: [PATCH] virSecuritySELinuxSetFileconHelper: Don't fail on read-only
|
|
|
c401cc |
NFS
|
|
|
c401cc |
|
|
|
c401cc |
https://bugzilla.redhat.com/show_bug.cgi?id=996543
|
|
|
c401cc |
|
|
|
c401cc |
When starting up a domain, the SELinux labeling is done depending on
|
|
|
c401cc |
current configuration. If the labeling fails we check for possible
|
|
|
c401cc |
causes, as not all labeling failures are fatal. For example, if the
|
|
|
c401cc |
labeled file is on NFS which lacks SELinux support, the file can still
|
|
|
c401cc |
be readable to qemu process. These cases are distinguished by the errno
|
|
|
c401cc |
code: NFS without SELinux support returns EOPNOTSUPP. However, we were
|
|
|
c401cc |
missing one scenario. In case there's a read-only disk on a read-only
|
|
|
c401cc |
NFS (and possibly any FS) and the labeling is just optional (not
|
|
|
c401cc |
explicitly requested in the XML) there's no need to make the labeling
|
|
|
c401cc |
error fatal. In other words, read-only file on read-only NFS can fail to
|
|
|
c401cc |
be labeled, but be readable at the same time.
|
|
|
c401cc |
|
|
|
c401cc |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
c401cc |
(cherry picked from commit d1fdecb6240cab8872fd39b0a6dd0df1ebd52b86)
|
|
|
c401cc |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
c401cc |
---
|
|
|
c401cc |
src/security/security_selinux.c | 13 +++++++------
|
|
|
c401cc |
1 file changed, 7 insertions(+), 6 deletions(-)
|
|
|
c401cc |
|
|
|
c401cc |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
c401cc |
index 38de060..29520ad 100644
|
|
|
c401cc |
--- a/src/security/security_selinux.c
|
|
|
c401cc |
+++ b/src/security/security_selinux.c
|
|
|
c401cc |
@@ -898,13 +898,14 @@ virSecuritySELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
|
|
|
c401cc |
freecon(econ);
|
|
|
c401cc |
}
|
|
|
c401cc |
|
|
|
c401cc |
- /* if the error complaint is related to an image hosted on
|
|
|
c401cc |
- * an nfs mount, or a usbfs/sysfs filesystem not supporting
|
|
|
c401cc |
- * labelling, then just ignore it & hope for the best.
|
|
|
c401cc |
- * The user hopefully set one of the necessary SELinux
|
|
|
c401cc |
- * virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
|
|
c401cc |
+ /* If the error complaint is related to an image hosted on a (possibly
|
|
|
c401cc |
+ * read-only) NFS mount, or a usbfs/sysfs filesystem not supporting
|
|
|
c401cc |
+ * labelling, then just ignore it & hope for the best. The user
|
|
|
c401cc |
+ * hopefully sets one of the necessary SELinux virt_use_{nfs,usb,pci}
|
|
|
c401cc |
+ * boolean tunables to allow it ...
|
|
|
c401cc |
*/
|
|
|
c401cc |
- if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
|
|
|
c401cc |
+ if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
|
|
|
c401cc |
+ setfilecon_errno != EROFS) {
|
|
|
c401cc |
virReportSystemError(setfilecon_errno,
|
|
|
c401cc |
_("unable to set security context '%s' on '%s'"),
|
|
|
c401cc |
tcon, path);
|
|
|
c401cc |
--
|
|
|
c401cc |
1.8.5.3
|
|
|
c401cc |
|