Re: [PATCH] is_selinux_enabled returns -1 on error, account for this.

Michal Privoznik <mprivozn@xxxxxxxxxx> · Thu, 20 Mar 2014 16:27:44 +0100

On 18.03.2014 18:02, Scott Sullivan wrote:
Per the documentation, is_selinux_enabled() returns -1 on error. Account
for this. Previously when -1 was being returned the condition would
still be true. I was noticing this because on my system that has selinux
disabled I was getting this in the libvirt.log every 5 seconds:

error : virIdentityGetSystem:173 : Unable to lookup SELinux process
context: Invalid argument

With this patch applied, I no longer get these messages every 5 seconds.
I am submitting this in case its deemed useful for inclusion. Anyone
have any comments on this change? This is a patch off current master.


 From 23e0780db43ebd3ea90710750639df901c261674 Mon Sep 17 00:00:00 2001
From: Scott Sullivan <ssullivan@xxxxxxxxxxxxx>
Date: Tue, 18 Mar 2014 12:55:50 -0400
Subject: [PATCH] is_selinux_enabled returns -1 on error, account for this.

---
  src/security/security_selinux.c |    2 +-
  src/util/viridentity.c          |    2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/security/security_selinux.c
b/src/security/security_selinux.c
index 02c7496..5f46bef 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -784,7 +784,7 @@ error:
  static int
  virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
  {
-    if (!is_selinux_enabled())
+    if (is_selinux_enabled() <= 0)
          return SECURITY_DRIVER_DISABLE;

      if (virtDriver && STREQ(virtDriver, "LXC")) {
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 351fdd7..05e7568 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -169,7 +169,7 @@ virIdentityPtr virIdentityGetSystem(void)
          goto cleanup;

  #if WITH_SELINUX
-    if (is_selinux_enabled()) {
+    if (is_selinux_enabled() > 0) {
          if (getcon(&con) < 0) {
              virReportSystemError(errno, "%s",
                                   _("Unable to lookup SELinux process
context"));


ACK, although I had some difficulties with applying this patch. I'd 
strongly recommend using 'git send-email' next time as it makes sure 
patch will apply cleanly.

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







