diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 4d4a1705e6..e9c4051a98 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1261,22 +1261,9 @@ virSecuritySELinuxSetFileconImpl(const char *path, * boolean tunables to allow it ... */ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR - if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP && - setfilecon_errno != EROFS) { + if (setfilecon_errno == EOPNOTSUPP || setfilecon_errno == ENOTSUP || + setfilecon_errno == EROFS) { VIR_WARNINGS_RESET - /* However, don't claim error if SELinux is in Enforcing mode and - * we are running as unprivileged user and we really did see EPERM. - * Otherwise we want to return error if SELinux is Enforcing. */ - if (security_getenforce() == 1 && - (setfilecon_errno != EPERM || privileged)) { - virReportSystemError(setfilecon_errno, - _("unable to set security context '%s' on '%s'"), - tcon, path); - return -1; - } - VIR_WARN("unable to set security context '%s' on '%s' (errno %d)", - tcon, path, setfilecon_errno); - } else { const char *msg; if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 && security_get_boolean_active("virt_use_nfs") != 1) { @@ -1290,6 +1277,19 @@ virSecuritySELinuxSetFileconImpl(const char *path, VIR_INFO("Setting security context '%s' on '%s' not supported", tcon, path); } + } else { + /* However, don't claim error if SELinux is in Enforcing mode and + * we are running as unprivileged user and we really did see EPERM. + * Otherwise we want to return error if SELinux is Enforcing. */ + if (security_getenforce() == 1 && + (setfilecon_errno != EPERM || privileged)) { + virReportSystemError(setfilecon_errno, + _("unable to set security context '%s' on '%s'"), + tcon, path); + return -1; + } + VIR_WARN("unable to set security context '%s' on '%s' (errno %d)", + tcon, path, setfilecon_errno); } return 1;