[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] sanlock: Enhance error message to point to possible problem with selinux



If the connection to the sanlock daemon is forbidden by selinux the
error message was not clear enough. This patch adds a check if proper
configuration for selinux is used while trying to connect to sanlock.

*src/locking/lock_driver_sanlock.c:
        - add macro virLockSystemError that checks for selinux and
          reports an improved error message
        - modify calls of virReportSystemError to the new macro in
          apropriate places

Background:
https://bugzilla.redhat.com/show_bug.cgi?id=770488
---
 src/locking/lock_driver_sanlock.c |   83 +++++++++++++++++++++++--------------
 1 files changed, 52 insertions(+), 31 deletions(-)

diff --git a/src/locking/lock_driver_sanlock.c b/src/locking/lock_driver_sanlock.c
index d344d6a..d5634f9 100644
--- a/src/locking/lock_driver_sanlock.c
+++ b/src/locking/lock_driver_sanlock.c
@@ -35,6 +35,10 @@
 #include <sanlock_resource.h>
 #include <sanlock_admin.h>

+#if HAVE_SELINUX
+# include <selinux/selinux.h>
+#endif
+
 #include "lock_driver.h"
 #include "logging.h"
 #include "virterror_internal.h"
@@ -51,7 +55,23 @@
 #define virLockError(code, ...)                                     \
     virReportErrorHelper(VIR_FROM_THIS, code, __FILE__,             \
                          __FUNCTION__, __LINE__, __VA_ARGS__)
-
+#if HAVE_SELINUX
+# define virLockSystemError(theerrno, format, ...)                             \
+    do {                                                                       \
+        if ((theerrno)==EACCES &&                                              \
+            security_get_boolean_active("virt_use_sanlock") == 0) {            \
+            char errbuff[1024];                                                \
+            snprintf(errbuff, sizeof(errbuff), "%s %s", (format),              \
+                    _("(Consider setting virt_use_sanlock selinux variable)"));\
+            virReportSystemError((theerrno), errbuff, __VA_ARGS__);            \
+        } else {                                                               \
+            virReportSystemError((theerrno), (format), __VA_ARGS__);           \
+        }                                                                      \
+    } while(0);
+#else
+# define virLockSystemError(...) \
+    virReportSystemError(__VA_ARGS__);
+#endif

 #define VIR_LOCK_MANAGER_SANLOCK_AUTO_DISK_LOCKSPACE "__LIBVIRT__DISKS__"

@@ -186,9 +206,9 @@ static int virLockManagerSanlockSetupLockspace(void)
                                  _("Unable to query sector size %s: error %d"),
                                  path, rv);
                 else
-                    virReportSystemError(-rv,
-                                         _("Unable to query sector size %s"),
-                                         path);
+                    virLockSystemError(-rv,
+                                       _("Unable to query sector size %s"),
+                                       path);
                 goto error_unlink;
             }

@@ -215,9 +235,9 @@ static int virLockManagerSanlockSetupLockspace(void)
                                  _("Unable to initialize lockspace %s: error %d"),
                                  path, rv);
                 else
-                    virReportSystemError(-rv,
-                                         _("Unable to initialize lockspace %s"),
-                                         path);
+                    virLockSystemError(-rv,
+                                       _("Unable to initialize lockspace %s"),
+                                       path);
                 goto error_unlink;
             }
             VIR_DEBUG("Lockspace %s has been initialized", path);
@@ -236,9 +256,9 @@ static int virLockManagerSanlockSetupLockspace(void)
                              _("Unable to add lockspace %s: error %d"),
                              path, rv);
             else
-                virReportSystemError(-rv,
-                                     _("Unable to add lockspace %s"),
-                                     path);
+                virLockSystemError(-rv,
+                                   _("Unable to add lockspace %s"),
+                                   path);
             goto error_unlink;
         } else {
             VIR_DEBUG("Lockspace %s is already registered", path);
@@ -559,9 +579,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res)
                                  _("Unable to query sector size %s: error %d"),
                                  res->disks[0].path, rv);
                 else
-                    virReportSystemError(-rv,
-                                         _("Unable to query sector size %s"),
-                                         res->disks[0].path);
+                    virLockSystemError(-rv,
+                                       _("Unable to query sector size %s"),
+                                       res->disks[0].path);
                 goto error_unlink;
             }

@@ -588,9 +608,9 @@ static int virLockManagerSanlockCreateLease(struct sanlk_resource *res)
                                  _("Unable to initialize lease %s: error %d"),
                                  res->disks[0].path, rv);
                 else
-                    virReportSystemError(-rv,
-                                         _("Unable to initialize lease %s"),
-                                         res->disks[0].path);
+                    virLockSystemError(-rv,
+                                       _("Unable to initialize lease %s"),
+                                       res->disks[0].path);
                 goto error_unlink;
             }
             VIR_DEBUG("Lease %s has been initialized", res->disks[0].path);
@@ -711,9 +731,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
                              _("Unable to parse lock state %s: error %d"),
                              state, rv);
             else
-                virReportSystemError(-rv,
-                                     _("Unable to parse lock state %s"),
-                                     state);
+                virLockSystemError(-rv,
+                                   _("Unable to parse lock state %s"),
+                                   state);
             goto error;
         }
         res_free = true;
@@ -736,8 +756,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
                          _("Failed to open socket to sanlock daemon: error %d"),
                          sock);
         else
-            virReportSystemError(-sock, "%s",
-                                 _("Failed to open socket to sanlock daemon"));
+            virLockSystemError(-sock, "%s",
+                               _("Failed to open socket to sanlock daemon"));
+
         goto error;
     }

@@ -750,8 +771,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
                 virLockError(VIR_ERR_INTERNAL_ERROR,
                              _("Failed to acquire lock: error %d"), rv);
             else
-                virReportSystemError(-rv, "%s",
-                                     _("Failed to acquire lock"));
+                virLockSystemError(-rv, "%s",
+                                   _("Failed to acquire lock"));
             goto error;
         }
     }
@@ -774,8 +795,8 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
                 virLockError(VIR_ERR_INTERNAL_ERROR,
                              _("Failed to restrict process: error %d"), rv);
             else
-                virReportSystemError(-rv, "%s",
-                                     _("Failed to restrict process"));
+                virLockSystemError(-rv, "%s",
+                                   _("Failed to restrict process"));
             goto error;
         }
     }
@@ -823,8 +844,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock,
                 virLockError(VIR_ERR_INTERNAL_ERROR,
                              _("Failed to inquire lock: error %d"), rv);
             else
-                virReportSystemError(-rv, "%s",
-                                     _("Failed to inquire lock"));
+                virLockSystemError(-rv, "%s",
+                                   _("Failed to inquire lock"));
             return -1;
         }

@@ -837,8 +858,8 @@ static int virLockManagerSanlockRelease(virLockManagerPtr lock,
             virLockError(VIR_ERR_INTERNAL_ERROR,
                          _("Failed to release lock: error %d"), rv);
         else
-            virReportSystemError(-rv, "%s",
-                                 _("Failed to release lock"));
+            virLockSystemError(-rv, "%s",
+                               _("Failed to release lock"));
         return -1;
     }

@@ -866,8 +887,8 @@ static int virLockManagerSanlockInquire(virLockManagerPtr lock,
             virLockError(VIR_ERR_INTERNAL_ERROR,
                          _("Failed to inquire lock: error %d"), rv);
         else
-            virReportSystemError(-rv, "%s",
-                                 _("Failed to inquire lock"));
+            virLockSystemError(-rv, "%s",
+                               _("Failed to inquire lock"));
         return -1;
     }

-- 
1.7.3.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]