mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 21:34:54 +03:00
ignore SELinuxSetFilecon error in SELinuxSetSecurityFileLabel if on nfs
If virDomainAttachDevice() was called with an image that was located on a root-squashed NFS server, and in a directory that was unreadable by root on the machine running libvirtd, the attach would fail due to an attempt to change the selinux label of the image with EACCES (which isn't covered as an ignore case in SELinuxSetFilecon()) NFS doesn't support SELinux labelling anyway, so we mimic the failure handling of commit93a18bbafa
, which just ignores the errors if the target is on an NFS filesystem (in SELinuxSetSecurityAllLabel() only, though.) This can be seen as a follow-on to commit347d266c51
, which ignores file open failures of files on NFS that occur directly in virDomainDiskDefForeachPath() (also necessary), but does not ignore failures in functions that are called from there (eg SELinuxSetSecurityFileLabel()).
This commit is contained in:
parent
a926156792
commit
5b04f42c6f
@ -453,20 +453,26 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
||||
void *opaque)
|
||||
{
|
||||
const virSecurityLabelDefPtr secdef = opaque;
|
||||
int ret;
|
||||
|
||||
if (depth == 0) {
|
||||
if (disk->shared) {
|
||||
return SELinuxSetFilecon(path, default_image_context);
|
||||
ret = SELinuxSetFilecon(path, default_image_context);
|
||||
} else if (disk->readonly) {
|
||||
return SELinuxSetFilecon(path, default_content_context);
|
||||
ret = SELinuxSetFilecon(path, default_content_context);
|
||||
} else if (secdef->imagelabel) {
|
||||
return SELinuxSetFilecon(path, secdef->imagelabel);
|
||||
ret = SELinuxSetFilecon(path, secdef->imagelabel);
|
||||
} else {
|
||||
return 0;
|
||||
ret = 0;
|
||||
}
|
||||
} else {
|
||||
return SELinuxSetFilecon(path, default_content_context);
|
||||
ret = SELinuxSetFilecon(path, default_content_context);
|
||||
}
|
||||
if (ret < 0 &&
|
||||
virStorageFileIsSharedFSType(path,
|
||||
VIR_STORAGE_FILE_SHFS_NFS) == 1)
|
||||
ret = 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
|
Loading…
Reference in New Issue
Block a user