|
 |
073345 |
From 36d6dd80a2b3840e471add391e8b71556904fa60 Mon Sep 17 00:00:00 2001
|
|
|
073345 |
Message-Id: <36d6dd80a2b3840e471add391e8b71556904fa60@dist-git>
|
|
|
073345 |
From: Martin Kletzander <mkletzan@redhat.com>
|
|
|
073345 |
Date: Mon, 20 Jan 2020 12:55:56 +0100
|
|
|
073345 |
Subject: [PATCH] selinux: Do not report an error when not returning -1
|
|
|
073345 |
MIME-Version: 1.0
|
|
|
073345 |
Content-Type: text/plain; charset=UTF-8
|
|
|
073345 |
Content-Transfer-Encoding: 8bit
|
|
|
073345 |
|
|
|
073345 |
I guess the reason for that was the automatic interpretation/stringification of
|
|
|
073345 |
setfilecon_errno, but the code was not nice to read and it was a bit confusing.
|
|
|
073345 |
Also, the logs and error states get cleaner this way.
|
|
|
073345 |
|
|
|
073345 |
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
|
|
|
073345 |
(cherry picked from commit 86289374ef85f673677881ef863ae6b6ce7e88a2)
|
|
|
073345 |
|
|
|
073345 |
https://bugzilla.redhat.com/show_bug.cgi?id=1788096
|
|
|
073345 |
|
|
|
073345 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
073345 |
Message-Id: <20200120115556.138061-2-fidencio@redhat.com>
|
|
|
073345 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
073345 |
---
|
|
|
073345 |
src/security/security_selinux.c | 12 ++++++++----
|
|
|
073345 |
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
073345 |
|
|
|
073345 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
073345 |
index 96944d0202..0238f31e84 100644
|
|
|
073345 |
--- a/src/security/security_selinux.c
|
|
|
073345 |
+++ b/src/security/security_selinux.c
|
|
|
073345 |
@@ -1177,14 +1177,18 @@ virSecuritySELinuxSetFileconHelper(const char *path, const char *tcon,
|
|
|
073345 |
if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
|
|
|
073345 |
setfilecon_errno != EROFS) {
|
|
|
073345 |
VIR_WARNINGS_RESET
|
|
|
073345 |
- virReportSystemError(setfilecon_errno,
|
|
|
073345 |
- _("unable to set security context '%s' on '%s'"),
|
|
|
073345 |
- tcon, path);
|
|
|
073345 |
/* However, don't claim error if SELinux is in Enforcing mode and
|
|
|
073345 |
* we are running as unprivileged user and we really did see EPERM.
|
|
|
073345 |
* Otherwise we want to return error if SELinux is Enforcing. */
|
|
|
073345 |
- if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))
|
|
|
073345 |
+ if (security_getenforce() == 1 &&
|
|
|
073345 |
+ (setfilecon_errno != EPERM || privileged)) {
|
|
|
073345 |
+ virReportSystemError(setfilecon_errno,
|
|
|
073345 |
+ _("unable to set security context '%s' on '%s'"),
|
|
|
073345 |
+ tcon, path);
|
|
|
073345 |
return -1;
|
|
|
073345 |
+ }
|
|
|
073345 |
+ VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
|
|
|
073345 |
+ tcon, path, setfilecon_errno);
|
|
|
073345 |
} else {
|
|
|
073345 |
const char *msg;
|
|
|
073345 |
if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&
|
|
|
073345 |
--
|
|
|
073345 |
2.25.0
|
|
|
073345 |
|