From 8fe953805a535097cf3b819b3b68fbfb166efed4 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Thu, 22 Aug 2019 16:34:02 +0200 Subject: [PATCH] security_selinux: Play nicely with network FS that only emulates SELinux There are some network file systems that do support XATTRs (e.g. gluster via FUSE). And they appear to support SELinux too. However, not really. Problem is, that it is impossible to change SELinux label of a file stored there, and yet we claim success (rightfully - hypervisor succeeds in opening the file). But this creates a problem for us - from XATTR bookkeeping POV, we haven't changed the label and thus if we remembered any label, we must roll back and remove it. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/security/security_selinux.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 1df04d7358..39d616ba44 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1384,12 +1384,18 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, } } - if (virSecuritySELinuxSetFileconImpl(path, tcon, privileged) < 0) + rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged); + if (rc < 0) goto cleanup; + /* Do not try restoring the label if it was not changed + * (setting it failed in a non-critical fashion) */ + if (rc == 0) + rollback = false; + ret = 0; cleanup: - if (ret < 0 && rollback) { + if (rollback) { virErrorPtr origerr; virErrorPreserveLast(&origerr); -- 2.39.5