[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] selinux: Detect virt_use_nfs boolean set



On 09.09.2011 09:24, Daniel Veillard wrote:
> On Thu, Sep 08, 2011 at 06:26:05PM +0200, Michal Privoznik wrote:
>> If we fail setting label on a file and this file is on NFS share,
>> it is wise to advise user to set virt_use_nfs selinux boolean
>> variable.
>> ---
>>  src/security/security_selinux.c |   11 ++++++++++-
>>  1 files changed, 10 insertions(+), 1 deletions(-)
>>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index ca54f9b..028f5b2 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
>>           * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
>>           */
>>          if (setfilecon_errno != EOPNOTSUPP) {
>> +            const char *errmsg;
>> +            if ((virStorageFileIsSharedFSType(path,
>> +                                             VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
>> +                security_get_boolean_active("virt_use_nfs") != 1) {
>> +                errmsg = _("unable to set security context '%s' on '%s'. "
>> +                           "Consider setting virt_use_nfs");
>> +            } else {
>> +                errmsg = _("unable to set security context '%s' on '%s'");
>> +            }
>>              virReportSystemError(setfilecon_errno,
>> -                                 _("unable to set security context '%s' on '%s'"),
>> +                                 errmsg,
>>                                   tcon, path);
>>              if (security_getenforce() == 1)
>>                  return -1;
> 
>   I like this, definitely a usability enhancement (for a specific case)
> 
>   ACK
> 
> Daniel
> 
Thanks, pushed.

Michal


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]