ignore SELinuxSetFilecon error in SELinuxSetSecurityFileLabel if on nfs

If virDomainAttachDevice() was called with an image that was located on a root-squashed NFS server, and in a directory that was unreadable by root on the machine running libvirtd, the attach would fail due to an attempt to change the selinux label of the image with EACCES (which isn't covered as an ignore case in SELinuxSetFilecon()) NFS doesn't support SELinux labelling anyway, so we mimic the failure handling of commit 93a18bba, which just ignores the errors if the target is on an NFS filesystem (in SELinuxSetSecurityAllLabel() only, though.) This can be seen as a follow-on to commit 347d266c, which ignores file open failures of files on NFS that occur directly in virDomainDiskDefForeachPath() (also necessary), but does not ignore failures in functions that are called from there (eg SELinuxSetSecurityFileLabel()).

ignore SELinuxSetFilecon error in SELinuxSetSecurityFileLabel if on nfs
If virDomainAttachDevice() was called with an image that was located on a root-squashed NFS server, and in a directory that was unreadable by root on the machine running libvirtd, the attach would fail due to an attempt to change the selinux label of the image with EACCES (which isn't covered as an ignore case in SELinuxSetFilecon()) NFS doesn't support SELinux labelling anyway, so we mimic the failure handling of commit 93a18bba, which just ignores the errors if the target is on an NFS filesystem (in SELinuxSetSecurityAllLabel() only, though.) This can be seen as a follow-on to commit 347d266c, which ignores file open failures of files on NFS that occur directly in virDomainDiskDefForeachPath() (also necessary), but does not ignore failures in functions that are called from there (eg SELinuxSetSecurityFileLabel()).
5b04f42c · Laine Stump · a9261567 · 5b04f42c
隐藏空白更改
内联并排

Showing with 11 addition and 5 deletion

src/security/security_selinux.c src/security/security_selinux.c +11 -5

未找到文件。
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -453,20 +453,26 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
                            void *opaque)
 {
    const virSecurityLabelDefPtr secdef = opaque;
+    int ret;
    if (depth == 0) {
        if (disk->shared) {
-            return SELinuxSetFilecon(path, default_image_context);
+            ret = SELinuxSetFilecon(path, default_image_context);
        } else if (disk->readonly) {
-            return SELinuxSetFilecon(path, default_content_context);
+            ret = SELinuxSetFilecon(path, default_content_context);
        } else if (secdef->imagelabel) {
-            return SELinuxSetFilecon(path, secdef->imagelabel);
+            ret = SELinuxSetFilecon(path, secdef->imagelabel);
        } else {
-            return 0;
+            ret = 0;
        }
    } else {
-        return SELinuxSetFilecon(path, default_content_context);
+        ret = SELinuxSetFilecon(path, default_content_context);
    }
+    if (ret < 0 &&
+        virStorageFileIsSharedFSType(path,
+                                     VIR_STORAGE_FILE_SHFS_NFS) == 1)
+       ret = 0;
+    return ret;
 }
 static int