| Message ID | CAGeouKHKm+Bzk6=gX_GEJc=faTB8tzwQ7txKVEhdbzK1sf-Z1A@mail.gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add restorecon -x to not cross FS boundaries | expand |
On Fri, May 15, 2020 at 4:09 PM Peter Whittaker <pww@edgekeep.com> wrote: > > Folks, the following patch adds a -x option to restorecon to prevent > it from crossing filesystem boundaries, as requested in > https://github.com/SELinuxProject/selinux/issues/208. > > As per Stephen Smalley's suggestion, this is accomplished using > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > Please do let me know if there are any errors in this, it's been over > two decades since I've lurked in majordomo lists and about as long > since I've contributed a patch via email. (In particular, I am having > issues with sending plaintext, so spaces in the patch are munged; any > pointers on correcting than in the gmail web client would be more than > welcome.) Send your patch via git send-email instead. You can have it send via gmail's smtp server as per the documentation (https://git-scm.com/docs/git-send-email). Alternatively use a mail client that is known to work, https://www.kernel.org/doc/html/latest/process/email-clients.html.
Thanks, Stephen, I will give that a shot. Don't use an email client generally, good to have the instructions. P Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP On Mon, May 18, 2020 at 11:20 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Fri, May 15, 2020 at 4:09 PM Peter Whittaker <pww@edgekeep.com> wrote: > > > > Folks, the following patch adds a -x option to restorecon to prevent > > it from crossing filesystem boundaries, as requested in > > https://github.com/SELinuxProject/selinux/issues/208. > > > > As per Stephen Smalley's suggestion, this is accomplished using > > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > > > Please do let me know if there are any errors in this, it's been over > > two decades since I've lurked in majordomo lists and about as long > > since I've contributed a patch via email. (In particular, I am having > > issues with sending plaintext, so spaces in the patch are munged; any > > pointers on correcting than in the gmail web client would be more than > > welcome.) > > Send your patch via git send-email instead. You can have it send via > gmail's smtp server as per the documentation > (https://git-scm.com/docs/git-send-email). Alternatively use a mail > client that is known to work, > https://www.kernel.org/doc/html/latest/process/email-clients.html.
On Fri, May 15, 2020 at 10:08 PM Peter Whittaker <pww@edgekeep.com> wrote: > Folks, the following patch adds a -x option to restorecon to prevent > it from crossing filesystem boundaries, as requested in > https://github.com/SELinuxProject/selinux/issues/208. > > As per Stephen Smalley's suggestion, this is accomplished using > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > Please do let me know if there are any errors in this, it's been over > two decades since I've lurked in majordomo lists and about as long > since I've contributed a patch via email. (In particular, I am having > issues with sending plaintext, so spaces in the patch are munged; any > pointers on correcting than in the gmail web client would be more than > welcome.) > > Thanks, > > P > > Peter Whittaker > EdgeKeep Inc. > www.edgekeep.com > +1 613 864 5337 > +1 613 864 KEEP > > From: Peter Whittaker <pww@edgekeep.com> > > As per #208, add the option -x to prevent restorecon from cross file > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > iamrestorecon. If setfiles, call usage(). > > Signed-off-by: Peter Whittaker <pww@edgekeep.com> > > From 3a1c4a3e94f18bb240f663fb5fbcff77068e5c4a Mon Sep 17 00:00:00 2001 > From: Peter Whittaker <pww@EdgeKeep.com> > Date: Fri, 15 May 2020 13:05:27 -0400 > Subject: [PATCH] Add restorecon -x to not cross FS boundaries > > As per #208, add the option -x to prevent restorecon from cross file > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > iamrestorecon. If setfiles, call usage(). Since you are adding a new option, please also update the man page (policycoreutils/setfiles/restorecon.8). > --- > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/setfiles/setfiles.c > b/policycoreutils/setfiles/setfiles.c > index 16bd592ca..2d0224bb6 100644 > --- a/policycoreutils/setfiles/setfiles.c > +++ b/policycoreutils/setfiles/setfiles.c > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void > usage(const char *const name) > { > if (iamrestorecon) { > fprintf(stderr, > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > name, name); > } else { > fprintf(stderr, > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > case '0': > null_terminated = 1; > break; > + case 'x': > + if (iamrestorecon) { > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > + } else { > + usage(argv[0]); > + } > + break; > case 'h': > case '?': > usage(argv[0]); > -- >
I've got those changes standing by - I'll do a full clone, apply the changes I made online to my tree, and submit the pair using git send-mail. It'll be later this week, long weekend over, work getting in the way again.... P Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP On Tue, May 19, 2020 at 4:11 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Fri, May 15, 2020 at 10:08 PM Peter Whittaker <pww@edgekeep.com> wrote: > > Folks, the following patch adds a -x option to restorecon to prevent > > it from crossing filesystem boundaries, as requested in > > https://github.com/SELinuxProject/selinux/issues/208. > > > > As per Stephen Smalley's suggestion, this is accomplished using > > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > > > Please do let me know if there are any errors in this, it's been over > > two decades since I've lurked in majordomo lists and about as long > > since I've contributed a patch via email. (In particular, I am having > > issues with sending plaintext, so spaces in the patch are munged; any > > pointers on correcting than in the gmail web client would be more than > > welcome.) > > > > Thanks, > > > > P > > > > Peter Whittaker > > EdgeKeep Inc. > > www.edgekeep.com > > +1 613 864 5337 > > +1 613 864 KEEP > > > > From: Peter Whittaker <pww@edgekeep.com> > > > > As per #208, add the option -x to prevent restorecon from cross file > > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > > iamrestorecon. If setfiles, call usage(). > > > > Signed-off-by: Peter Whittaker <pww@edgekeep.com> > > > > From 3a1c4a3e94f18bb240f663fb5fbcff77068e5c4a Mon Sep 17 00:00:00 2001 > > From: Peter Whittaker <pww@EdgeKeep.com> > > Date: Fri, 15 May 2020 13:05:27 -0400 > > Subject: [PATCH] Add restorecon -x to not cross FS boundaries > > > > As per #208, add the option -x to prevent restorecon from cross file > > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > > iamrestorecon. If setfiles, call usage(). > > Since you are adding a new option, please also update the man page > (policycoreutils/setfiles/restorecon.8). > > > --- > > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > > 1 file changed, 9 insertions(+), 2 deletions(-) > > > > diff --git a/policycoreutils/setfiles/setfiles.c > > b/policycoreutils/setfiles/setfiles.c > > index 16bd592ca..2d0224bb6 100644 > > --- a/policycoreutils/setfiles/setfiles.c > > +++ b/policycoreutils/setfiles/setfiles.c > > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void > > usage(const char *const name) > > { > > if (iamrestorecon) { > > fprintf(stderr, > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > > name, name); > > } else { > > fprintf(stderr, > > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > > case '0': > > null_terminated = 1; > > break; > > + case 'x': > > + if (iamrestorecon) { > > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > > + } else { > > + usage(argv[0]); > > + } > > + break; > > case 'h': > > case '?': > > usage(argv[0]); > > -- > > > > > -- > Ondrej Mosnacek <omosnace at redhat dot com> > Software Engineer, Security Technologies > Red Hat, Inc. >
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 16bd592ca..2d0224bb6 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", name, name); } else {