From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487157; cv=none; d=zoho.com; s=zohoarc; b=T6Goe/iJnQy4O1peiEVOv5WtqRtyFG71fgTXsmOfco7JY6OL5M8V6bCCC8gJ8b/VTsljnbC2SC6xvSSiM6JO37ZOT0SHFcSdnA4L2gqR2AfEGqqhGwnIsYJ6Otb8kXaoY+YDvx2vA+sNANfPd4EUZE1MAa0pDZweofuT0IVVdtQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487157; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=7a1eA+joyMMhG30qulwcfT0EWR4X1jSGQf0Klbieu2k=; b=mRQxAxefs0l0CJRu9X3fVpsa7Mj7PZ27rAhgn2z9teaScX7WoWYe1FMEEOuqA2aTLAN2bpjCjd20EHlWfvH0Hdj1Bb6yIkD92ffaHIDelrtgypCbDysp2bYghc5sqFs4Rjw1LvzvKk3lsjg5pcouto+czY34lq5H4DBjUphwQP0= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487157710229.79405865743865; Thu, 22 Aug 2019 08:19:17 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 105C37EB88; Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D596860603; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 39A80180B536; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJCpO027921 for ; Thu, 22 Aug 2019 11:19:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id 548A86092D; Thu, 22 Aug 2019 15:19:12 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id D16EF60925 for ; Thu, 22 Aug 2019 15:19:11 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:04 +0200 Message-Id: <51ef68cffcb06411d971c084919c9485d72bf4a4.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/6] virSecuritySELinuxGetProcessLabel: Fix comment X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.71]); Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This function has funny approach to retvals. Document them more clearly. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 9857223bbf..0523613d4a 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1257,9 +1257,20 @@ virSecuritySELinuxGetProcessLabel(virSecurityManager= Ptr mgr ATTRIBUTE_UNUSED, return 0; } =20 -/* Attempt to change the label of PATH to TCON. If OPTIONAL is true, - * return 1 if labelling was not possible. Otherwise, require a label - * change, and return 0 for success, -1 for failure. */ +/** + * virSecuritySELinuxSetFileconImpl: + * @path: path to the file to set context on + * @tcon: target context to set + * @optional: whether to treat errors as fatal + * @privileged: whether running as privileged user + * + * Set @tcon SELinux context on @path. If unable to do so, check SELinux + * configuration and produce sensible error message suggesting solution. + * + * Returns: -1 if failed to set context and SELinux is in enforcing mode + * 1 if failed to set context and @optional is true + * 0 otherwise. + */ static int virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, bool optional, bool privileged) --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487168; cv=none; d=zoho.com; s=zohoarc; b=P5BYlmq6G5B2IolSYkuS6166YEEwNZY5aAK2ZkKMIHGPfeBR9UMkFQR8rGrfg/mOUI3GlojfgIXlSK+sgHvAzAMbCLVnSwLPOVE7ygB0F3zIFyKk7J2NKY6gn+e2RFZ92DEONa4FVOTbAt6/ydBqxmGlF/Y6fKhLZmzx6Vuvn2o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487168; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=eBOUePwJse/hDW3yHW+mBwj8ogC2EEfZKusN+PLe094=; b=AJOtmVD2PAJUhjrhys6elW1r8nsFXRfC5bSSnZK37NkBPO537FiFsQU8O/XzaBiqflx8WhC9geYuPbIG658a1i88KkRmm7UtVsr/rPubgrEZ3LtOG5vfrrV5QDtk46CWH6LL0eIqHPvlt7BMJdSYWMLwoPumknFpqFSBfw4nXAI= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487168036239.12729566346525; Thu, 22 Aug 2019 08:19:28 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A12B219CF26; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7EC646114F; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 43F7B180221F; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJD38027929 for ; Thu, 22 Aug 2019 11:19:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2576260925; Thu, 22 Aug 2019 15:19:13 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id A2C6D60606 for ; Thu, 22 Aug 2019 15:19:12 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:05 +0200 Message-Id: <196c19c031271b00dcb85e4d9cf6e041893b7fe4.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/6] virSecuritySELinuxSetFileconImpl: Drop @optional argument X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 22 Aug 2019 15:19:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" The only thing that the @optional argument does is that it makes the function return 1 instead of 0 if setting SELinux context failed in a non-critical fashion. Drop the argument then and return 1 in that case. This enables caller to learn if SELinux context was set or not. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 0523613d4a..35385f4a23 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1261,19 +1261,23 @@ virSecuritySELinuxGetProcessLabel(virSecurityManage= rPtr mgr ATTRIBUTE_UNUSED, * virSecuritySELinuxSetFileconImpl: * @path: path to the file to set context on * @tcon: target context to set - * @optional: whether to treat errors as fatal * @privileged: whether running as privileged user * * Set @tcon SELinux context on @path. If unable to do so, check SELinux * configuration and produce sensible error message suggesting solution. + * It may happen that setting context fails but hypervisor will be able to + * open the @path successfully. This is because some file systems don't + * support SELinux, are RO, or the @path had the correct context from the + * start. If that is the case, a positive one is returned. * * Returns: -1 if failed to set context and SELinux is in enforcing mode - * 1 if failed to set context and @optional is true - * 0 otherwise. + * 1 if failed to set context, + * 0 if context was set successfully. */ static int -virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, - bool optional, bool privileged) +virSecuritySELinuxSetFileconImpl(const char *path, + const char *tcon, + bool privileged) { security_context_t econ; =20 @@ -1289,7 +1293,7 @@ virSecuritySELinuxSetFileconImpl(const char *path, co= nst char *tcon, if (STREQ(tcon, econ)) { freecon(econ); /* It's alright, there's nothing to change anyway. */ - return optional ? 1 : 0; + return 1; } freecon(econ); } @@ -1326,9 +1330,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, co= nst char *tcon, VIR_INFO("Setting security context '%s' on '%s' not suppor= ted", tcon, path); } - if (optional) - return 1; } + + return 1; } return 0; } @@ -1388,7 +1392,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManager= Ptr mgr, } } =20 - if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged)= < 0) + if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0) goto cleanup; =20 ret =3D 0; @@ -1553,7 +1557,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManager= Ptr mgr, } } =20 - if (virSecuritySELinuxSetFileconImpl(newpath, fcon, false, privileged)= < 0) + if (virSecuritySELinuxSetFileconImpl(newpath, fcon, privileged) < 0) goto cleanup; =20 ret =3D 0; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487157; cv=none; d=zoho.com; s=zohoarc; b=Tb7a00ctkTWHqUWLMog7WoHQapLs6BFkrECLS4IoDu561DxZSr2Mm5ntyMm4BEIvMvV2sT6XqMmncDIzpDOGr6XWek2qsW9ImF2xhb8ZkEjP6rnuupp6RAzB+e9oKu+z3B2E87zC4cpDTE+NkunX5vWUI/G0HNFMQeRjdU3zWuI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487157; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=3mQxEIwOmC54rsmGE/UnXPHAV4hoiLpBVYx6fHnYhys=; b=VmoW+WZLvYYfMuLm8ubHHVQy+XWScCdWJGvQZc+wVLTLOA+H2nYs229G3uWa1UGPTLgCxtIBuFlNEYeo5qrk86WRvc+afpOvINP6wbC15Aqlvj4LUgyQ8XBzhT+fmkmrHGJt1HIP9T0Fnhv+QEAXZC6VP9HPAnItWn6bzsKLEP8= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487157599678.4277688875821; Thu, 22 Aug 2019 08:19:17 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 227E2309B69A; Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F13785B69A; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A335F180BA99; Thu, 22 Aug 2019 15:19:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJDZs027936 for ; Thu, 22 Aug 2019 11:19:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id E76606092D; Thu, 22 Aug 2019 15:19:13 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7190960925 for ; Thu, 22 Aug 2019 15:19:13 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:06 +0200 Message-Id: <3a17cbd2688fc05cb3ecb95f0e313f64b155f150.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/6] security_selinux: DropvirSecuritySELinuxSetFileconOptional() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Content-Type: text/plain; charset="utf-8" There is no real difference between virSecuritySELinuxSetFilecon() and virSecuritySELinuxSetFileconOptional(). Drop the latter in favour of the former. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 53 ++++++++++++++------------------- 1 file changed, 22 insertions(+), 31 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 35385f4a23..0d9790829e 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1419,15 +1419,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManage= rPtr mgr, } =20 =20 -static int -virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr, - const char *path, - const char *tcon, - bool remember) -{ - return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remem= ber); -} - static int virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, const char *path, @@ -1884,28 +1875,28 @@ virSecuritySELinuxSetImageLabelInternal(virSecurity= ManagerPtr mgr, parent_seclabel->label, remembe= r); } else if (!parent || parent =3D=3D src) { if (src->shared) { - ret =3D virSecuritySELinuxSetFileconOptional(mgr, - src->path, - data->file_context, - remember); + ret =3D virSecuritySELinuxSetFilecon(mgr, + src->path, + data->file_context, + remember); } else if (src->readonly) { - ret =3D virSecuritySELinuxSetFileconOptional(mgr, - src->path, - data->content_conte= xt, - remember); + ret =3D virSecuritySELinuxSetFilecon(mgr, + src->path, + data->content_context, + remember); } else if (secdef->imagelabel) { - ret =3D virSecuritySELinuxSetFileconOptional(mgr, - src->path, - secdef->imagelabel, - remember); + ret =3D virSecuritySELinuxSetFilecon(mgr, + src->path, + secdef->imagelabel, + remember); } else { ret =3D 0; } } else { - ret =3D virSecuritySELinuxSetFileconOptional(mgr, - src->path, - data->content_context, - remember); + ret =3D virSecuritySELinuxSetFilecon(mgr, + src->path, + data->content_context, + remember); } =20 if (ret =3D=3D 1 && !disk_seclabel) { @@ -2045,14 +2036,14 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev, return 0; =20 if (virSCSIDeviceGetShareable(dev)) - return virSecuritySELinuxSetFileconOptional(mgr, file, - data->file_context, tr= ue); + return virSecuritySELinuxSetFilecon(mgr, file, + data->file_context, true); else if (virSCSIDeviceGetReadonly(dev)) - return virSecuritySELinuxSetFileconOptional(mgr, file, - data->content_context,= true); + return virSecuritySELinuxSetFilecon(mgr, file, + data->content_context, true); else - return virSecuritySELinuxSetFileconOptional(mgr, file, - secdef->imagelabel, tr= ue); + return virSecuritySELinuxSetFilecon(mgr, file, + secdef->imagelabel, true); } =20 static int --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487168; cv=none; d=zoho.com; s=zohoarc; b=n2z+NaD+E1FQH5ZKQtXs1iGwMbJjRtOS2GGOTBZOMxwQuch1RItsyJ/8VBKFE6GN0+gUy9honvP6FcgKbnjgZmj+0aJUvzW7RZgE5DFYxTHG4bNk/utSo60svfuDTy58H4HfmdNiabRBtmmwEzyeNlq0ejQ/vG+ocbcukcyQIo0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487168; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=gWCNLsgNXThYTS2oVj1fCPJD+kDGUDHz5eRG2OBB4e4=; b=DehIA7CYF6GIpvmX1ZfKeOwo9yuN8bMrW5mjifkVQ3GLc6+wNmW30DgmXzNE3cVFHjhWkJ1CjPsfKik5Juc8apaL+F9WE2MtrBdnnMXPhSmkfVryHrQP+1BBqD7bRe7baOaLAmCmwOwBIno0LZU9wPmJLAduqxHdDckRncjM5Vc= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487168384686.2961459110625; Thu, 22 Aug 2019 08:19:28 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A4AE581DF2; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 81DC65C578; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4A83A4EE6D; Thu, 22 Aug 2019 15:19:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJEer027944 for ; Thu, 22 Aug 2019 11:19:14 -0400 Received: by smtp.corp.redhat.com (Postfix) id B770360606; Thu, 22 Aug 2019 15:19:14 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4149C6061E for ; Thu, 22 Aug 2019 15:19:14 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:07 +0200 Message-Id: <74a114621385178fe0569a770e670ab5a2de2a73.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 4/6] security_selinux: Drop @optional from _virSecuritySELinuxContextItem X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 22 Aug 2019 15:19:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Now, that we don't need to remember if setting context is 'optional' (the argument only made virSecuritySELinuxSetFileconImpl() return a different success code), we can drop it from the _virSecuritySELinuxContextItem structure as we don't need to remember it in transactions. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 0d9790829e..e7cf5f2e53 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -81,7 +81,6 @@ typedef virSecuritySELinuxContextItem *virSecuritySELinux= ContextItemPtr; struct _virSecuritySELinuxContextItem { char *path; char *tcon; - bool optional; bool remember; /* Whether owner remembering should be done for @path/@= src */ bool restore; /* Whether current operation is 'set' or 'restore' */ }; @@ -122,7 +121,6 @@ static int virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list, const char *path, const char *tcon, - bool optional, bool remember, bool restore) { @@ -135,7 +133,6 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxC= ontextListPtr list, if (VIR_STRDUP(item->path, path) < 0 || VIR_STRDUP(item->tcon, tcon) <= 0) goto cleanup; =20 - item->optional =3D optional; item->remember =3D remember; item->restore =3D restore; =20 @@ -170,7 +167,6 @@ virSecuritySELinuxContextListFree(void *opaque) * virSecuritySELinuxTransactionAppend: * @path: Path to chown * @tcon: target context - * @optional: true if setting @tcon is optional * @remember: if the original owner should be recorded/recalled * @restore: if current operation is set or restore * @@ -187,7 +183,6 @@ virSecuritySELinuxContextListFree(void *opaque) static int virSecuritySELinuxTransactionAppend(const char *path, const char *tcon, - bool optional, bool remember, bool restore) { @@ -198,7 +193,7 @@ virSecuritySELinuxTransactionAppend(const char *path, return 0; =20 if (virSecuritySELinuxContextListAppend(list, path, tcon, - optional, remember, restore) <= 0) + remember, restore) < 0) return -1; =20 return 1; @@ -234,7 +229,6 @@ virSecuritySELinuxRecallLabel(const char *path, static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, const char *path, const char *tcon, - bool optional, bool remember); =20 =20 @@ -290,7 +284,6 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UN= USED, rv =3D virSecuritySELinuxSetFileconHelper(list->manager, item->path, item->tcon, - item->optional, remember); } else { rv =3D virSecuritySELinuxRestoreFileLabel(list->manager, @@ -1342,7 +1335,6 @@ static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, const char *path, const char *tcon, - bool optional, bool remember) { bool privileged =3D virSecurityManagerGetPrivileged(mgr); @@ -1353,7 +1345,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManager= Ptr mgr, int ret =3D -1; =20 if ((rc =3D virSecuritySELinuxTransactionAppend(path, tcon, - optional, remember, fals= e)) < 0) + remember, false)) < 0) return -1; else if (rc > 0) return 0; @@ -1425,7 +1417,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mg= r, const char *tcon, bool remember) { - return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, reme= mber); + return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember); } =20 static int @@ -1512,7 +1504,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManager= Ptr mgr, } =20 if ((rc =3D virSecuritySELinuxTransactionAppend(path, NULL, - false, recall, true)) < = 0) { + recall, true)) < 0) { goto cleanup; } else if (rc > 0) { ret =3D 0; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487172; cv=none; d=zoho.com; s=zohoarc; b=h6dLFpSGysIFFjTy0GabzMyVzSq7SYrQm9yO3RiH2B13OICDsxPGESqpk+QgiOe0ua+LgDoPHFuwuhCSTK+0IIT6jZ4fZKTvGIxEsKoVr9FsfwztIruPXlXCNwaN5eCA8A7mG0IIT4kSjJz6a5WQ5HlPfQn7mA6YsOtUQdKyqW4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487172; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=ap0C5SWj/r7X3WlnxQpiuePvS97RYdUC/TVXyiwHBwc=; b=WD8OTYxQ2U+nRWlIwmEs8ujoBtZrmlp6QdzG8hgbo1Xyo1qmyUXaAbf0UmkpPnBm7xJPITCGWYCiO2uiKIJf0nlODpCZxxVAWTgV855kM3TW9Ri6n0WTe7BxiyhNs3oeztL3WcvBXmhHyxI8pbl15yadRt0JBTdfQRFQp7rAkrk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 15664871721614.495530269666233; Thu, 22 Aug 2019 08:19:32 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B1589C05686D; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8698C60318; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 412A04EE6E; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJFj3027954 for ; Thu, 22 Aug 2019 11:19:15 -0400 Received: by smtp.corp.redhat.com (Postfix) id 871D960925; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 10B9F60610 for ; Thu, 22 Aug 2019 15:19:14 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:08 +0200 Message-Id: <3664b7fd114a455b462ec1f410bf5571e1283f8d.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 5/6] security_selinux: Drop virSecuritySELinuxSetFileconHelper X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 22 Aug 2019 15:19:31 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This function is no longer needed because after previous commits it's just an alias to virSecuritySELinuxSetFilecon. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index e7cf5f2e53..855eaafdda 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -226,7 +226,7 @@ virSecuritySELinuxRecallLabel(const char *path, } =20 =20 -static int virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, +static int virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, const char *path, const char *tcon, bool remember); @@ -281,10 +281,10 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_= UNUSED, const bool remember =3D item->remember && list->lock; =20 if (!item->restore) { - rv =3D virSecuritySELinuxSetFileconHelper(list->manager, - item->path, - item->tcon, - remember); + rv =3D virSecuritySELinuxSetFilecon(list->manager, + item->path, + item->tcon, + remember); } else { rv =3D virSecuritySELinuxRestoreFileLabel(list->manager, item->path, @@ -1332,10 +1332,10 @@ virSecuritySELinuxSetFileconImpl(const char *path, =20 =20 static int -virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, - const char *path, - const char *tcon, - bool remember) +virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, + const char *path, + const char *tcon, + bool remember) { bool privileged =3D virSecurityManagerGetPrivileged(mgr); security_context_t econ =3D NULL; @@ -1411,15 +1411,6 @@ virSecuritySELinuxSetFileconHelper(virSecurityManage= rPtr mgr, } =20 =20 -static int -virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, - const char *path, - const char *tcon, - bool remember) -{ - return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, remember); -} - static int virSecuritySELinuxFSetFilecon(int fd, char *tcon) { --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566487171; cv=none; d=zoho.com; s=zohoarc; b=NDYnQyVyLNYTbg+T2Tuv5D382pgmDDB1YfmqGQlzqmNwQzU6GkUjZ2q9f+ReqoxdUTUmu96P/A0aYCTRadBkVuYY1q97II3myRkT7IM4oqI4F5a0L2tg4etSGKakNo4dDEfYNcxG63ivEzCdCtsicU+IaI2PF07xFdXYZkAljbE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566487171; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=f4JlVM+i1cwTSTtzm/awPJCsj3HJYLPMIDlLQlu7OSg=; b=FrUWZwYLtw7EsoaJ0XimkA0cTMcxIXlDvzWnfd2x9H0bpf0ad0EuSFNTM9l5HC3kdzFD+I5T8Qm8/GG4ItC6nPVRF5cZyTYBnhu2ykZuYnVms942K5AyOmZg8WyHyB5xpk8LLGgH7Hr2H/VWUjbMuimWfLQM9UPgoyEOGW2oAtk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566487171376904.1396805574533; Thu, 22 Aug 2019 08:19:31 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 399B530A76A7; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 134795C221; Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C7C214EE6E; Thu, 22 Aug 2019 15:19:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MFJGaN027965 for ; Thu, 22 Aug 2019 11:19:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5ABDA50D0B; Thu, 22 Aug 2019 15:19:16 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id D53006092D for ; Thu, 22 Aug 2019 15:19:15 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 17:19:09 +0200 Message-Id: <9e987adb5e416204ec373181f11455fa1eb5dbc0.1566486921.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 6/6] security_selinux: Play nicely with network FS that only emulates SELinux X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 22 Aug 2019 15:19:30 +0000 (UTC) Content-Type: text/plain; charset="utf-8" There are some network file systems that do support XATTRs (e.g. gluster via FUSE). And they appear to support SELinux too. However, not really. Problem is, that it is impossible to change SELinux label of a file stored there, and yet we claim success (rightfully - hypervisor succeeds in opening the file). But this creates a problem for us - from XATTR bookkeeping POV, we haven't changed the label and thus if we remembered any label, we must roll back and remove it. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1740506 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 855eaafdda..4d0c7a46ae 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1384,12 +1384,22 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr = mgr, } } =20 - if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0) + if ((rc =3D virSecuritySELinuxSetFileconImpl(path, tcon, privileged)) = < 0) goto cleanup; =20 + /* At this point, we can claim success. However, + * virSecuritySELinuxSetFileconImpl() could returned 0 + * (SELinux label changed) or 1 (SELinux label NOT changed in + * a non-critical fashion). If the label was NOT changed, we + * must remove remembered label then - there's nothing to + * remember, is there? But of the label was changed, don't + * remove the remembered label. It's valid. */ + if (rc =3D=3D 0) + rollback =3D false; + ret =3D 0; cleanup: - if (ret < 0 && rollback) { + if (rollback) { virErrorPtr origerr; =20 virErrorPreserveLast(&origerr); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Tue Apr 30 16:52:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1567093169; cv=none; d=zoho.com; s=zohoarc; b=MwyHSBizbHwWnIqYS0pFxacEK6HjXFT19BEhWHhsLzlzs4mxJ4VKW5ZxgLJR/gPOuJUwAIk2us/QvvbK+xmbWzb/Ss9Q1ePTkd296EZRAQvIztNjE+BM4vK8uus5ykPfvqKsfFl4lYcR2kxuQ1JDSsxWUR+vdjOoL7tpWzt0DzQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1567093169; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=4f5UcslLOjALeyS+Ri++yZoK5+ybvblzbZdgjfgwZpw=; b=ev3SEz1LHcil8HpTN7QJwCT3BraMfnRDtEKCINj0Kqk6z8fTDCjuvTWA8IuxS0eULFwz8Pfj+PdfMsWXmcH21LCCxlw23cxg9eI1ytj5NL2ru0FEjwxCENFZF+QIArfbObdM6N+baVRiEe+suEjK2LFT8I9lWyrsxUJKIg4KsRU= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1567093169216403.3700926191624; Thu, 29 Aug 2019 08:39:29 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F26D82CE972; Thu, 29 Aug 2019 15:39:27 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AE06D5F7DA; Thu, 29 Aug 2019 15:39:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6A5AD180B536; Thu, 29 Aug 2019 15:39:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7TFdQEI015881 for ; Thu, 29 Aug 2019 11:39:26 -0400 Received: by smtp.corp.redhat.com (Postfix) id 97BBD60E3E; Thu, 29 Aug 2019 15:39:26 +0000 (UTC) Received: from caroline (unknown [10.43.2.67]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6B0E560CC0; Thu, 29 Aug 2019 15:39:24 +0000 (UTC) Received: from caroline.brq.redhat.com (caroline.usersys.redhat.com [127.0.0.1]) by caroline (Postfix) with ESMTP id 19EF612001F; Thu, 29 Aug 2019 17:39:23 +0200 (CEST) From: Martin Kletzander To: libvir-list@redhat.com Date: Thu, 29 Aug 2019 17:39:11 +0200 Message-Id: <38f93e5f719e27b12221176d3c96bcc27a30da56.1567093058.git.mkletzan@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Cc: mprivozn@redhat.com Subject: [libvirt] [PATCH] selinux: Do not report an error when not returning -1 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 29 Aug 2019 15:39:28 +0000 (UTC) Content-Type: text/plain; charset="utf-8" I guess the reason for that was the automatic interpretation/stringificatio= n of setfilecon_errno, but the code was not nice to read and it was a bit confus= ing. Also, the logs and error states get cleaner this way. Signed-off-by: Martin Kletzander Reviewed-by: Michal Privoznik --- I'm still waiting for the build in travis to finish, so don't stone me if it fails. The link is here: https://travis-ci.org/nertpinx/libvirt/builds/578= 418517 src/security/security_selinux.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 4d0c7a46ae23..bbb5318aa0ee 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1301,14 +1301,18 @@ virSecuritySELinuxSetFileconImpl(const char *path, if (setfilecon_errno !=3D EOPNOTSUPP && setfilecon_errno !=3D ENOT= SUP && setfilecon_errno !=3D EROFS) { VIR_WARNINGS_RESET - virReportSystemError(setfilecon_errno, - _("unable to set security context '%s' on= '%s'"), - tcon, path); /* However, don't claim error if SELinux is in Enforcing mode = and * we are running as unprivileged user and we really did see E= PERM. * Otherwise we want to return error if SELinux is Enforcing. = */ - if (security_getenforce() =3D=3D 1 && (setfilecon_errno !=3D E= PERM || privileged)) + if (security_getenforce() =3D=3D 1 && + (setfilecon_errno !=3D EPERM || privileged)) { + virReportSystemError(setfilecon_errno, + _("unable to set security context '%s= ' on '%s'"), + tcon, path); return -1; + } + VIR_WARN(_("unable to set security context '%s' on '%s' (errno= %d)"), + tcon, path, setfilecon_errno); } else { const char *msg; if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) =3D=3D 1 && --=20 2.23.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list