From nobody Mon Feb 9 09:08:31 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487171; cv=none; d=zoho.com; s=zohoarc; b=NDYnQyVyLNYTbg+T2Tuv5D382pgmDDB1YfmqGQlzqmNwQzU6GkUjZ2q9f+ReqoxdUTUmu96P/A0aYCTRadBkVuYY1q97II3myRkT7IM4oqI4F5a0L2tg4etSGKakNo4dDEfYNcxG63ivEzCdCtsicU+IaI2PF07xFdXYZkAljbE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487171; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=f4JlVM+i1cwTSTtzm/awPJCsj3HJYLPMIDlLQlu7OSg=; b=FrUWZwYLtw7EsoaJ0XimkA0cTMcxIXlDvzWnfd2x9H0bpf0ad0EuSFNTM9l5HC3kdzFD+I5T8Qm8/GG4ItC6nPVRF5cZyTYBnhu2ykZuYnVms942K5AyOmZg8WyHyB5xpk8LLGgH7Hr2H/VWUjbMuimWfLQM9UPgoyEOGW2oAtk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487171376904.1396805574533; Thu, 22 Aug 2019 08:19:31 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 399B530A76A7; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 134795C221; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C7C214EE6E; Thu, 22 Aug 2019 15:19:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJGaN027965 for ; Thu, 22 Aug 2019 11:19:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5ABDA50D0B; Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id D53006092D for ; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:09 +0200 Message-Id: <9e987adb5e416204ec373181f11455fa1eb5dbc0.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 6/6] security_selinux: Play nicely with network FS that only emulates SELinux X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Content-Type: text/plain; charset="utf-8" There are some network file systems that do support XATTRs (e.g. gluster via FUSE). And they appear to support SELinux too. However, not really. Problem is, that it is impossible to change SELinux label of a file stored there, and yet we claim success (rightfully - hypervisor succeeds in opening the file). But this creates a problem for us - from XATTR bookkeeping POV, we haven't changed the label and thus if we remembered any label, we must roll back and remove it. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1740506 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 855eaafdda..4d0c7a46ae 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1384,12 +1384,22 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr = mgr, } } =20 - if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0) + if ((rc =3D virSecuritySELinuxSetFileconImpl(path, tcon, privileged)) = < 0) goto cleanup; =20 + /* At this point, we can claim success. However, + * virSecuritySELinuxSetFileconImpl() could returned 0 + * (SELinux label changed) or 1 (SELinux label NOT changed in + * a non-critical fashion). If the label was NOT changed, we + * must remove remembered label then - there's nothing to + * remember, is there? But of the label was changed, don't + * remove the remembered label. It's valid. */ + if (rc =3D=3D 0) + rollback =3D false; + ret =3D 0; cleanup: - if (ret < 0 && rollback) { + if (rollback) { virErrorPtr origerr; =20 virErrorPreserveLast(&origerr); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list