selinux: Detect virt_use_nfs boolean set

If we fail setting label on a file and this file is on NFS share, it is wise to advise user to set virt_use_nfs selinux boolean variable.

selinux: Detect virt_use_nfs boolean set
If we fail setting label on a file and this file is on NFS share, it is wise to advise user to set virt_use_nfs selinux boolean variable.
c9b37fee · Michal Privoznik · b14e7d2a · c9b37fee
显示空白变更内容
内联并排

Showing with 10 addition and 1 deletion

src/security/security_selinux.c src/security/security_selinux.c +10 -1

未找到文件。
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -420,8 +420,17 @@ SELinuxSetFilecon(const char *path, char *tcon)
         * virt_use_{nfs,usb,pci}  boolean tunables to allow it...
         */
        if (setfilecon_errno != EOPNOTSUPP) {
+            const char *errmsg;
+            if ((virStorageFileIsSharedFSType(path,
+                                             VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
+                security_get_boolean_active("virt_use_nfs") != 1) {
+                errmsg = _("unable to set security context '%s' on '%s'. "
+                           "Consider setting virt_use_nfs");
+            } else {
+                errmsg = _("unable to set security context '%s' on '%s'");
+            }
            virReportSystemError(setfilecon_errno,
-                                 _("unable to set security context '%s' on '%s'"),
+                                 errmsg,
                                 tcon, path);
            if (security_getenforce() == 1)
                return -1;