From 36d6dd80a2b3840e471add391e8b71556904fa60 Mon Sep 17 00:00:00 2001

Message-Id: <36d6dd80a2b3840e471add391e8b71556904fa60@dist-git>

From: Martin Kletzander <mkletzan@redhat.com>

Date: Mon, 20 Jan 2020 12:55:56 +0100

Subject: [PATCH] selinux: Do not report an error when not returning -1

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

I guess the reason for that was the automatic interpretation/stringification of

setfilecon_errno, but the code was not nice to read and it was a bit confusing.

Also, the logs and error states get cleaner this way.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

(cherry picked from commit 86289374ef85f673677881ef863ae6b6ce7e88a2)

https://bugzilla.redhat.com/show_bug.cgi?id=1788096

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Message-Id: <20200120115556.138061-2-fidencio@redhat.com>

Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/security/security_selinux.c | 12 ++++++++----

 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index 96944d0202..0238f31e84 100644

--- a/src/security/security_selinux.c

+++ b/src/security/security_selinux.c

@@ -1177,14 +1177,18 @@ virSecuritySELinuxSetFileconHelper(const char *path, const char *tcon,

         if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&

             setfilecon_errno != EROFS) {

         VIR_WARNINGS_RESET

-            virReportSystemError(setfilecon_errno,

-                                 _("unable to set security context '%s' on '%s'"),

-                                 tcon, path);

             /* However, don't claim error if SELinux is in Enforcing mode and

              * we are running as unprivileged user and we really did see EPERM.

              * Otherwise we want to return error if SELinux is Enforcing. */

-            if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))

+            if (security_getenforce() == 1 &&

+                (setfilecon_errno != EPERM || privileged)) {

+                virReportSystemError(setfilecon_errno,

+                                     _("unable to set security context '%s' on '%s'"),

+                                     tcon, path);

                 return -1;

+            }

+            VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",

+                     tcon, path, setfilecon_errno);

         } else {

             const char *msg;

             if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&

-- 

2.25.0