If the connection to the sanlock daemon is forbidden by selinux the
error message was not clear enough. This patch adds a check if proper
configuration for selinux is used while trying to connect to sanlock.
*src/locking/lock_driver_sanlock.c:
- add macro virLockSystemError that checks for selinux and
reports an improved error message
- modify calls of virReportSystemError to the new macro in
apropriate places
Background:
https://bugzilla.redhat.com/show_bug.cgi?id=770488
---
src/locking/lock_driver_sanlock.c | 83 +++++++++++++++++++++++--------------
1 files changed, 52 insertions(+), 31 deletions(-)
diff --git a/src/locking/lock_driver_sanlock.c b/src/locking/lock_driver_sanlock.c
index d344d6a..d5634f9 100644
--- a/src/locking/lock_driver_sanlock.c
+++ b/src/locking/lock_driver_sanlock.c
@@ -35,6 +35,10 @@
#include <sanlock_resource.h>
#include <sanlock_admin.h>
+#if HAVE_SELINUX
+# include <selinux/selinux.h>
+#endif
+
#include "lock_driver.h"
#include "logging.h"
#include "virterror_internal.h"
@@ -51,7 +55,23 @@
#define virLockError(code, ...) \
virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
__FUNCTION__, __LINE__, __VA_ARGS__)
-
+#if HAVE_SELINUX
+# define virLockSystemError(theerrno, format, ...) \
+ do { \
+ if ((theerrno)==EACCES && \
+ security_get_boolean_active("virt_use_sanlock") == 0) { \
+ char errbuff[1024]; \
+ snprintf(errbuff, sizeof(errbuff), "%s %s", (format), \
+ _("(Consider setting virt_use_sanlock selinux variable)"));\
+ virReportSystemError((theerrno), errbuff, __VA_ARGS__); \
+ } else { \
+ virReportSystemError((theerrno), (format), __VA_ARGS__); \
+ } \
+ } while(0);
+#else
+# define virLockSystemError(...) \
+ virReportSystemError(__VA_ARGS__);
+#endif
#define VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE "__LIBVIRT__DISKS__"
@@ -186,9 +206,9 @@ static int virLockManagerSanlockSetupLockspace(void)
_("Unable to query sector size %s: error %d"),
path, rv);
else
- virReportSystemError(-rv,
- _("Unable to query sector size %s"),
- path);
+ virLockSystemError(-rv,
+ _("Unable to query sector size %s"),
+ path);
goto error_unlink;
}
@@ -215,9 +235,9 @@ static int virLockManagerSanlockSetupLockspace(void)
_("Unable to initialize lockspace %s: error %d"),
path, rv);
else
- virReportSystemError(-rv,
- _("Unable to initialize lockspace %s"),
- path);
+ virLockSystemError(-rv,
+ _("Unable to initialize lockspace %s"),
+ path);
goto error_unlink;
}
VIR_DEBUG("Lockspace %s has been initialized", path);
@@ -236,9 +256,9 @@ static int virLockManagerSanlockSetupLockspace(void)
_("Unable to add lockspace %s: error %d"),
path, rv);
else
- virReportSystemError(-rv,
- _("Unable to add lockspace %s"),
- path);
+ virLockSystemError(-rv,
+ _("Unable to add lockspace %s"),
+ path);
goto error_unlink;
} else {
VIR_DEBUG("Lockspace %s is already registered", path);
@@ -559,9 +579,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res)
_("Unable to query sector size %s: error %d"),
res->disks[0].path, rv);
else
- virReportSystemError(-rv,
- _("Unable to query sector size %s"),
- res->disks[0].path);
+ virLockSystemError(-rv,
+ _("Unable to query sector size %s"),
+ res->disks[0].path);
goto error_unlink;
}
@@ -588,9 +608,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res)
_("Unable to initialize lease %s: error %d"),
res->disks[0].path, rv);
else
- virReportSystemError(-rv,
- _("Unable to initialize lease %s"),
- res->disks[0].path);
+ virLockSystemError(-rv,
+ _("Unable to initialize lease %s"),
+ res->disks[0].path);
goto error_unlink;
}
VIR_DEBUG("Lease %s has been initialized", res->disks[0].path);
@@ -711,9 +731,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
_("Unable to parse lock state %s: error %d"),
state, rv);
else
- virReportSystemError(-rv,
- _("Unable to parse lock state %s"),
- state);
+ virLockSystemError(-rv,
+ _("Unable to parse lock state %s"),
+ state);
goto error;
}
res_free = true;
@@ -736,8 +756,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
_("Failed to open socket to sanlock daemon: error %d"),
sock);
else
- virReportSystemError(-sock, "%s",
- _("Failed to open socket to sanlock daemon"));
+ virLockSystemError(-sock, "%s",
+ _("Failed to open socket to sanlock daemon"));
+
goto error;
}
@@ -750,8 +771,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
virLockError(VIR_ERR_INTERNAL_ERROR,
_("Failed to acquire lock: error %d"), rv);
else
- virReportSystemError(-rv, "%s",
- _("Failed to acquire lock"));
+ virLockSystemError(-rv, "%s",
+ _("Failed to acquire lock"));
goto error;
}
}
@@ -774,8 +795,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
virLockError(VIR_ERR_INTERNAL_ERROR,
_("Failed to restrict process: error %d"), rv);
else
- virReportSystemError(-rv, "%s",
- _("Failed to restrict process"));
+ virLockSystemError(-rv, "%s",
+ _("Failed to restrict process"));
goto error;
}
}
@@ -823,8 +844,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock,
virLockError(VIR_ERR_INTERNAL_ERROR,
_("Failed to inquire lock: error %d"), rv);
else
- virReportSystemError(-rv, "%s",
- _("Failed to inquire lock"));
+ virLockSystemError(-rv, "%s",
+ _("Failed to inquire lock"));
return -1;
}
@@ -837,8 +858,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock,
virLockError(VIR_ERR_INTERNAL_ERROR,
_("Failed to release lock: error %d"), rv);
else
- virReportSystemError(-rv, "%s",
- _("Failed to release lock"));
+ virLockSystemError(-rv, "%s",
+ _("Failed to release lock"));
return -1;
}
@@ -866,8 +887,8 @@ static int virLockManagerSanlockInquire(virLockManagerPtr lock,
virLockError(VIR_ERR_INTERNAL_ERROR,
_("Failed to inquire lock: error %d"), rv);
else
- virReportSystemError(-rv, "%s",
- _("Failed to inquire lock"));
+ virLockSystemError(-rv, "%s",
+ _("Failed to inquire lock"));
return -1;
}
--
1.7.3.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list