On Fri, Mar 08, 2024 at 04:26:27PM -0700, Jim Fehlig wrote: > When performing an install, it's common for tooling such as virt-install > to remove the install kernel/initrd once they are successfully booted and > the domain has been redefined to boot without them. After the installation > is complete and the domain is rebooted/shutdown, the DAC and selinux > security drivers attempt to restore labels on the now deleted files. It's > harmles wrt functionality, but results in error messages such as > > Mar 08 12:40:37 virtqemud[5639]: internal error: child reported (status=125): unable to stat: /var/lib/libvirt/boot/vir> > Mar 08 12:40:37 virtqemud[5639]: unable to stat: /var/lib/libvirt/boot/virtinst-yvp19moo-linux: No such file or directo> > Mar 08 12:40:37 virtqemud[5639]: Unable to run security manager transaction > > Avoid the messages by checking if the kernel and initrd still exist before > including them in the restore label transaction. > > Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx> > --- > src/security/security_dac.c | 4 ++-- > src/security/security_selinux.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 4b8130630f..be606c6f33 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -1993,11 +1993,11 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr, > rc = -1; > } > > - if (def->os.kernel && > + if (def->os.kernel && virFileExists(def->os.kernel) && > virSecurityDACRestoreFileLabel(mgr, def->os.kernel) < 0) > rc = -1; > > - if (def->os.initrd && > + if (def->os.initrd && virFileExists(def->os.initrd) && > virSecurityDACRestoreFileLabel(mgr, def->os.initrd) < 0) > rc = -1; I wonder if this scenario is conceptually relevant to other files though. eg someone created a qcow2 overlay for the disk, to capture writes, and then immediatley unlinked it as they wanted to discard them. ie manual equivalent of QEMU's -snapshot arg. Should we instead plumb something in so that the 'stat()' failure gets silently ignored when it is ENOENT, on a "restore" code path With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
