selinux: Do not report an error when not returning -1

I guess the reason for that was the automatic interpretation/stringification of
setfilecon_errno, but the code was not nice to read and it was a bit confusing.
Also, the logs and error states get cleaner this way.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 39d616ba441d82d228b7758aad546875ae5befee..af7f62dfd94a4854c689aaf9cb5325fc40c8c0c1 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1301,14 +1301,18 @@ virSecuritySELinuxSetFileconImpl(const char *path,
         if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
             setfilecon_errno != EROFS) {
         VIR_WARNINGS_RESET
-            virReportSystemError(setfilecon_errno,
-                                 _("unable to set security context '%s' on '%s'"),
-                                 tcon, path);
             /* However, don't claim error if SELinux is in Enforcing mode and
              * we are running as unprivileged user and we really did see EPERM.
              * Otherwise we want to return error if SELinux is Enforcing. */
-            if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))
+            if (security_getenforce() == 1 &&
+                (setfilecon_errno != EPERM || privileged)) {
+                virReportSystemError(setfilecon_errno,
+                                     _("unable to set security context '%s' on '%s'"),
+                                     tcon, path);
                 return -1;
+            }
+            VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
+                     tcon, path, setfilecon_errno);
         } else {
             const char *msg;
             if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&