On 07/15/2015 09:02 AM, Michal Privoznik wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1124841 > > When the daemon is running under unprivileged user, that is under > qemu:///session, there are plenty of operations we can't do. What > we can do is to go with best effort. One of such cases is > relabeling domain resources (be it disks, sockets, regular files, > etc.) during domain startup process. While we may successfully set > DAC labels, we can be fairly certain that any attempt to change > SELinux labels will fail. Therefore we should tolerate relabelling > errors and just let qemu to try access the resources. If it fails, > our error reporting system is strong enough to articulate the > exact error to the user anyway. > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/qemu/qemu_process.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c > index 1c0c734..58ed631 100644 > --- a/src/qemu/qemu_process.c > +++ b/src/qemu/qemu_process.c > @@ -4856,8 +4856,13 @@ int qemuProcessStart(virConnectPtr conn, > > VIR_DEBUG("Setting domain security labels"); > if (virSecurityManagerSetAllLabel(driver->securityManager, > - vm->def, stdin_path) < 0) > - goto cleanup; > + vm->def, stdin_path) < 0) { > + /* Be tolerant to relabel errors if we are running unprivileged. */ > + if (virQEMUDriverIsPrivileged(driver)) > + goto cleanup; > + else > + VIR_DEBUG("Ignoring relabel errors for unprivileged daemon"); How about just if (cond) goto VIR_DEBUG(or WARN) virResetLastError() Otherwise, seems reasonable in principal, so ACK John > + } > > /* Security manager labeled all devices, therefore > * if any operation from now on fails and we goto cleanup, > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list