NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

virSecuritySELinuxSetFileconImpl: Drop @optional argument

Browse Source 
The only thing that the @optional argument does is that it makes
the function return 1 instead of 0 if setting SELinux context
failed in a non-critical fashion. Drop the argument then and
return 1 in that case. This enables caller to learn if SELinux
context was set or not.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
Michal Privoznik 2019-08-21 17:50:55 +02:00
parent c87c42f0eb
commit 34712a5e3b
1 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/security/security_selinux.c
View File

@ -1257,12 +1257,27 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0; return 0;
} }
/* Attempt to change the label of PATH to TCON. If OPTIONAL is true, /**
* return 1 if labelling was not possible. Otherwise, require a label * virSecuritySELinuxSetFileconImpl:
* change, and return 0 for success, -1 for failure. */ * @path: path to the file to set context on
* @tcon: target context to set
* @privileged: whether running as privileged user
*
* Set @tcon SELinux context on @path. If unable to do so, check SELinux
* configuration and produce sensible error message suggesting solution.
* It may happen that setting context fails but hypervisor will be able to
* open the @path successfully. This is because some file systems don't
* support SELinux, are RO, or the @path had the correct context from the
* start. If that is the case, a positive one is returned.
*
* Returns: 0 if context was set successfully
* 1 if setting the context failed in a non-critical fashion
* -1 in case of error
*/
static int static int
virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon, virSecuritySELinuxSetFileconImpl(const char *path,
bool optional, bool privileged) const char *tcon,
bool privileged)
{ {
security_context_t econ; security_context_t econ;
@ -1278,7 +1293,7 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
if (STREQ(tcon, econ)) { if (STREQ(tcon, econ)) {
freecon(econ); freecon(econ);
/* It's alright, there's nothing to change anyway. */ /* It's alright, there's nothing to change anyway. */
return optional ? 1 : 0; return 1;
} }
freecon(econ); freecon(econ);
} }
@ -1315,9 +1330,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, const char *tcon,
VIR_INFO("Setting security context '%s' on '%s' not supported", VIR_INFO("Setting security context '%s' on '%s' not supported",
tcon, path); tcon, path);
} }
if (optional)
return 1;
} }
return 1;
} }
return 0; return 0;
} }
@ -1377,7 +1392,7 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
} }
} }
if (virSecuritySELinuxSetFileconImpl(path, tcon, optional, privileged) < 0) if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0)
goto cleanup; goto cleanup;
ret = 0; ret = 0;
@ -1542,7 +1557,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
} }
} }
if (virSecuritySELinuxSetFileconImpl(newpath, fcon, false, privileged) < 0) if (virSecuritySELinuxSetFileconImpl(newpath, fcon, privileged) < 0)
goto cleanup; goto cleanup;
ret = 0; ret = 0;