From: Laine Stump Date: Thu, 1 Apr 2010 15:58:34 +0000 (-0400) Subject: Allow domain disk images on root-squash NFS to coexist with security driver. X-Git-Tag: v0.8.0~117 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a7b4be5aba1ccc6b5d5d41ea30c4ab87bccfc2d;p=thirdparty%2Flibvirt.git Allow domain disk images on root-squash NFS to coexist with security driver. (suggested by Daniel Berrange, tested by Dan Kenigsberg) virStorageFileGetMetadata will fail for disk images that are stored on a root-squash NFS share that isn't world-readable. SELinuxSetSecurityImageLabel is called during the startup of every domain (as long as security_driver != "none"), and it will propogate the error from virStorageFileGetMetadata, causing the domain startup to fail. This is, however, a common scenario when qemu is run as a non-root user and the disk image is stored on NFS. Ignoring this failure (which doesn't matter in this case, since the next thing done by SELinuxSetSecurityImageLabel - setting the file context - will also fail (and that function already ignores failures due to root-squash NFS) will allow us to continue bringing up the domain. The result is that we don't need to disable the entire security driver just because a domain's disk image is stored on root-squashed NFS. --- diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 6680e2d238..3e204754da 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -430,7 +430,7 @@ SELinuxSetSecurityImageLabel(virDomainObjPtr vm, path = NULL; if (ret < 0) - return -1; + break; if (meta.backingStore != NULL && SELinuxSetFilecon(meta.backingStore,