[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set
- From: Michal Privoznik <mprivozn redhat com>
- To: veillard redhat com
- Cc: libvir-list redhat com
- Subject: Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set
- Date: Fri, 09 Sep 2011 09:34:20 +0200
On 09.09.2011 09:24, Daniel Veillard wrote:
> On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
>> If we fail setting label on a file and this file is on NFS share,
>> it is wise to advise user to set virt_use_nfs selinux boolean
>> variable.
>> ---
>> src/security/security_selinux.c | 11 ++++++++++-
>> 1 files changed, 10 insertions(+), 1 deletions(-)
>>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index ca54f9b..028f5b2 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
>> * virt_use_{nfs,usb,pci} boolean tunables to allow it...
>> */
>> if (setfilecon_errno != EOPNOTSUPP) {
>> + const char *errmsg;
>> + if ((virStorageFileIsSharedFSType(path,
>> + VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
>> + security_get_boolean_active("virt_use_nfs") != 1) {
>> + errmsg = _("unable to set security context '%s' on '%s'. "
>> + "Consider setting virt_use_nfs");
>> + } else {
>> + errmsg = _("unable to set security context '%s' on '%s'");
>> + }
>> virReportSystemError(setfilecon_errno,
>> - _("unable to set security context '%s' on '%s'"),
>> + errmsg,
>> tcon, path);
>> if (security_getenforce() == 1)
>> return -1;
>
> I like this, definitely a usability enhancement (for a specific case)
>
> ACK
>
> Daniel
>
Thanks, pushed.
Michal
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]