Message ID | 20200526170217.32966-1-pww@edgekeep.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | Add restorecon -x opt to not cross FS boundaries (cf github #208) | expand |
On Tue, May 26, 2020 at 1:04 PM Peter Whittaker <pww@edgekeep.com> wrote: > > Folks, this patch adds and documents a "-x" option for restorecon > to prevent it from crossing file system boundaries, as requested > in github issue #208. > > P > > Signed-off-by: Peter Whittaker <pww@edgekeep.com> You didn't update the actual ropts string so restorecon -x fails even after this patch. Did you test your change? In your patch description, you can put the following line before your Signed-off-by and drop the separate references to github issue #208 in the subject line and body: Fixes: https://github.com/SELinuxProject/selinux/issues/208 > --- > policycoreutils/setfiles/restorecon.8 | 7 +++++++ > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > 2 files changed, 16 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 > index bbfc83fe..0d1930de 100644 > --- a/policycoreutils/setfiles/restorecon.8 > +++ b/policycoreutils/setfiles/restorecon.8 > @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts. > .RB [ \-F ] > .RB [ \-W ] > .RB [ \-I | \-D ] > +.RB [ \-x ] > .RB [ \-e > .IR directory ] > .IR pathname \ ... > @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts. > .RB [ \-F ] > .RB [ \-W ] > .RB [ \-I | \-D ] > +.RB [ \-x ] > > .SH "DESCRIPTION" > This manual page describes the > @@ -153,6 +155,11 @@ option of GNU > .B find > produces input suitable for this mode. > .TP > +.B \-x > +prevent > +.B restorecon > +from crossing file system boundaries. > +.TP > .SH "ARGUMENTS" > .IR pathname \ ... > The pathname for the file(s) to be relabeled. > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c > index 16bd592c..afd579e3 100644 > --- a/policycoreutils/setfiles/setfiles.c > +++ b/policycoreutils/setfiles/setfiles.c > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name) > { > if (iamrestorecon) { > fprintf(stderr, > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > name, name); > } else { > fprintf(stderr, > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > case '0': > null_terminated = 1; > break; > + case 'x': > + if (iamrestorecon) { > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > + } else { > + usage(argv[0]); > + } > + break; > case 'h': > case '?': > usage(argv[0]); > -- > 2.20.1 >
My test infrastructure has been, uh, limited, so far (working with some, uh, restrictions). I'll take the time to build a complete test system, reapply, test, then resubmit. Thanks for the advice on including the URL, much cleaner. Thanks, P Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP On Fri, May 29, 2020 at 10:22 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Tue, May 26, 2020 at 1:04 PM Peter Whittaker <pww@edgekeep.com> wrote: > > > > Folks, this patch adds and documents a "-x" option for restorecon > > to prevent it from crossing file system boundaries, as requested > > in github issue #208. > > > > P > > > > Signed-off-by: Peter Whittaker <pww@edgekeep.com> > > You didn't update the actual ropts string so restorecon -x fails even > after this patch. > Did you test your change? > In your patch description, you can put the following line before your > Signed-off-by > and drop the separate references to github issue #208 in the subject > line and body: > Fixes: https://github.com/SELinuxProject/selinux/issues/208 > > > --- > > policycoreutils/setfiles/restorecon.8 | 7 +++++++ > > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > > 2 files changed, 16 insertions(+), 2 deletions(-) > > > > diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 > > index bbfc83fe..0d1930de 100644 > > --- a/policycoreutils/setfiles/restorecon.8 > > +++ b/policycoreutils/setfiles/restorecon.8 > > @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts. > > .RB [ \-F ] > > .RB [ \-W ] > > .RB [ \-I | \-D ] > > +.RB [ \-x ] > > .RB [ \-e > > .IR directory ] > > .IR pathname \ ... > > @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts. > > .RB [ \-F ] > > .RB [ \-W ] > > .RB [ \-I | \-D ] > > +.RB [ \-x ] > > > > .SH "DESCRIPTION" > > This manual page describes the > > @@ -153,6 +155,11 @@ option of GNU > > .B find > > produces input suitable for this mode. > > .TP > > +.B \-x > > +prevent > > +.B restorecon > > +from crossing file system boundaries. > > +.TP > > .SH "ARGUMENTS" > > .IR pathname \ ... > > The pathname for the file(s) to be relabeled. > > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c > > index 16bd592c..afd579e3 100644 > > --- a/policycoreutils/setfiles/setfiles.c > > +++ b/policycoreutils/setfiles/setfiles.c > > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name) > > { > > if (iamrestorecon) { > > fprintf(stderr, > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > > name, name); > > } else { > > fprintf(stderr, > > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > > case '0': > > null_terminated = 1; > > break; > > + case 'x': > > + if (iamrestorecon) { > > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > > + } else { > > + usage(argv[0]); > > + } > > + break; > > case 'h': > > case '?': > > usage(argv[0]); > > -- > > 2.20.1 > >
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index bbfc83fe..0d1930de 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts. .RB [ \-F ] .RB [ \-W ] .RB [ \-I | \-D ] +.RB [ \-x ] .RB [ \-e .IR directory ] .IR pathname \ ... @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts. .RB [ \-F ] .RB [ \-W ] .RB [ \-I | \-D ] +.RB [ \-x ] .SH "DESCRIPTION" This manual page describes the @@ -153,6 +155,11 @@ option of GNU .B find produces input suitable for this mode. .TP +.B \-x +prevent +.B restorecon +from crossing file system boundaries. +.TP .SH "ARGUMENTS" .IR pathname \ ... The pathname for the file(s) to be relabeled. diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 16bd592c..afd579e3 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", name, name); } else { fprintf(stderr, @@ -386,6 +386,13 @@ int main(int argc, char **argv) case '0': null_terminated = 1; break; + case 'x': + if (iamrestorecon) { + r_opts.xdev = SELINUX_RESTORECON_XDEV; + } else { + usage(argv[0]); + } + break; case 'h': case '?': usage(argv[0]);
Folks, this patch adds and documents a "-x" option for restorecon to prevent it from crossing file system boundaries, as requested in github issue #208. P Signed-off-by: Peter Whittaker <pww@edgekeep.com> --- policycoreutils/setfiles/restorecon.8 | 7 +++++++ policycoreutils/setfiles/setfiles.c | 11 +++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-)