[PATCH] selinux: Detect virt_use_nfs boolean set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If we fail setting label on a file and this file is on NFS share,
it is wise to advise user to set virt_use_nfs selinux boolean
variable.
---
 src/security/security_selinux.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ca54f9b..028f5b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
          * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
          */
         if (setfilecon_errno != EOPNOTSUPP) {
+            const char *errmsg;
+            if ((virStorageFileIsSharedFSType(path,
+                                             VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
+                security_get_boolean_active("virt_use_nfs") != 1) {
+                errmsg = _("unable to set security context '%s' on '%s'. "
+                           "Consider setting virt_use_nfs");
+            } else {
+                errmsg = _("unable to set security context '%s' on '%s'");
+            }
             virReportSystemError(setfilecon_errno,
-                                 _("unable to set security context '%s' on '%s'"),
+                                 errmsg,
                                  tcon, path);
             if (security_getenforce() == 1)
                 return -1;
-- 
1.7.3.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]