libvirt/SOURCES/libvirt-selinux-Do-not-report-an-error-when-not-returning-1.patch

From 36d6dd80a2b3840e471add391e8b71556904fa60 Mon Sep 17 00:00:00 2001
Message-Id: <36d6dd80a2b3840e471add391e8b71556904fa60@dist-git>
From: Martin Kletzander <mkletzan@redhat.com>
Date: Mon, 20 Jan 2020 12:55:56 +0100
Subject: [PATCH] selinux: Do not report an error when not returning -1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I guess the reason for that was the automatic interpretation/stringification of
setfilecon_errno, but the code was not nice to read and it was a bit confusing.
Also, the logs and error states get cleaner this way.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 86289374ef85f673677881ef863ae6b6ce7e88a2)

https://bugzilla.redhat.com/show_bug.cgi?id=1788096

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Message-Id: <20200120115556.138061-2-fidencio@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/security/security_selinux.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 96944d0202..0238f31e84 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1177,14 +1177,18 @@ virSecuritySELinuxSetFileconHelper(const char *path, const char *tcon,
         if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
             setfilecon_errno != EROFS) {
         VIR_WARNINGS_RESET
-            virReportSystemError(setfilecon_errno,
-                                 _("unable to set security context '%s' on '%s'"),
-                                 tcon, path);
             /* However, don't claim error if SELinux is in Enforcing mode and
              * we are running as unprivileged user and we really did see EPERM.
              * Otherwise we want to return error if SELinux is Enforcing. */
-            if (security_getenforce() == 1 && (setfilecon_errno != EPERM || privileged))
+            if (security_getenforce() == 1 &&
+                (setfilecon_errno != EPERM || privileged)) {
+                virReportSystemError(setfilecon_errno,
+                                     _("unable to set security context '%s' on '%s'"),
+                                     tcon, path);
                 return -1;
+            }
+            VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
+                     tcon, path, setfilecon_errno);
         } else {
             const char *msg;
             if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&
-- 
2.25.0
import libvirt-4.5.0-42.module+el8.2.0+6024+15a2423f 2020-04-28 09:33:33 +00:00			`From 36d6dd80a2b3840e471add391e8b71556904fa60 Mon Sep 17 00:00:00 2001`
			`Message-Id: <36d6dd80a2b3840e471add391e8b71556904fa60@dist-git>`
			`From: Martin Kletzander <mkletzan@redhat.com>`
			`Date: Mon, 20 Jan 2020 12:55:56 +0100`
			`Subject: [PATCH] selinux: Do not report an error when not returning -1`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`I guess the reason for that was the automatic interpretation/stringification of`
			`setfilecon_errno, but the code was not nice to read and it was a bit confusing.`
			`Also, the logs and error states get cleaner this way.`

			`Signed-off-by: Martin Kletzander <mkletzan@redhat.com>`
			`(cherry picked from commit 86289374ef85f673677881ef863ae6b6ce7e88a2)`

			`https://bugzilla.redhat.com/show_bug.cgi?id=1788096`

			`Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>`
			`Message-Id: <20200120115556.138061-2-fidencio@redhat.com>`
			`Reviewed-by: Jiri Denemark <jdenemar@redhat.com>`
			`---`
			`src/security/security_selinux.c \| 12 ++++++++----`
			`1 file changed, 8 insertions(+), 4 deletions(-)`

			`diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c`
			`index 96944d0202..0238f31e84 100644`
			`--- a/src/security/security_selinux.c`
			`+++ b/src/security/security_selinux.c`
			`@@ -1177,14 +1177,18 @@ virSecuritySELinuxSetFileconHelper(const char path, const char tcon,`
			`if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&`
			`setfilecon_errno != EROFS) {`
			`VIR_WARNINGS_RESET`
			`- virReportSystemError(setfilecon_errno,`
			`- _("unable to set security context '%s' on '%s'"),`
			`- tcon, path);`
			`/* However, don't claim error if SELinux is in Enforcing mode and`
			`* we are running as unprivileged user and we really did see EPERM.`
			`* Otherwise we want to return error if SELinux is Enforcing. */`
			`- if (security_getenforce() == 1 && (setfilecon_errno != EPERM \|\| privileged))`
			`+ if (security_getenforce() == 1 &&`
			`+ (setfilecon_errno != EPERM \|\| privileged)) {`
			`+ virReportSystemError(setfilecon_errno,`
			`+ _("unable to set security context '%s' on '%s'"),`
			`+ tcon, path);`
			`return -1;`
			`+ }`
			`+ VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",`
			`+ tcon, path, setfilecon_errno);`
			`} else {`
			`const char *msg;`
			`if (virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS) == 1 &&`
			`--`
			`2.25.0`