Re: [PATCH] selinux: Detect virt_use_nfs boolean set

[Daniel Veillard <veillard@xxxxxxxxxx>]

On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
> If we fail setting label on a file and this file is on NFS share,
> it is wise to advise user to set virt_use_nfs selinux boolean
> variable.
> ---
>  src/security/security_selinux.c |   11 ++++++++++-
>  1 files changed, 10 insertions(+), 1 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index ca54f9b..028f5b2 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
>           * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
>           */
>          if (setfilecon_errno != EOPNOTSUPP) {
> +            const char *errmsg;
> +            if ((virStorageFileIsSharedFSType(path,
> +                                             VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
> +                security_get_boolean_active("virt_use_nfs") != 1) {
> +                errmsg = _("unable to set security context '%s' on '%s'. "
> +                           "Consider setting virt_use_nfs");
> +            } else {
> +                errmsg = _("unable to set security context '%s' on '%s'");
> +            }
>              virReportSystemError(setfilecon_errno,
> -                                 _("unable to set security context '%s' on '%s'"),
> +                                 errmsg,
>                                   tcon, path);
>              if (security_getenforce() == 1)
>                  return -1;

  I like this, definitely a usability enhancement (for a specific case)

  ACK

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@xxxxxxxxxxxx  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list