[PATCH] libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname

[PATCH] libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname

[Stephen Smalley]

$ touch /tmp/foo
$ chcon -t etc_t /tmp/foo
$ restorecon /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 libselinux/src/selinux_restorecon.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index f5fa8f5..7020669 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -90,6 +90,7 @@ struct rest_flags {
 	bool syslog_changes;
 	bool log_matches;
 	bool ignore_noent;
+	bool warnonnomatch;
 };
 
 static void restorecon_init(void)
@@ -613,7 +614,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
 						    sb->st_mode);
 
 	if (rc < 0) {
-		if (errno == ENOENT && flags->verbose && !flags->recurse)
+		if (errno == ENOENT && flags->warnonnomatch)
 			selinux_log(SELINUX_INFO,
 				    "Warning no default label for %s\n",
 				    lookup_path);
@@ -761,6 +762,7 @@ int selinux_restorecon(const char *pathname_orig,
 		   SELINUX_RESTORECON_LOG_MATCHES) ? true : false;
 	flags.ignore_noent = (restorecon_flags &
 		   SELINUX_RESTORECON_IGNORE_NOENTRY) ? true : false;
+	flags.warnonnomatch = true;
 	ignore_mounts = (restorecon_flags &
 		   SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false;
 
@@ -983,7 +985,8 @@ int selinux_restorecon(const char *pathname_orig,
 		default:
 			error |= restorecon_sb(ftsent->fts_path,
 					       ftsent->fts_statp, &flags);
-
+			if (flags.warnonnomatch)
+				flags.warnonnomatch = false;
 			if (error && flags.abort_on_error)
 				goto out;
 			break;
-- 
2.7.4

Re: [PATCH] libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname

[Alan Jenkins]

On 13/01/2017, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> $ touch /tmp/foo
> $ chcon -t etc_t /tmp/foo
> $ restorecon /tmp/foo
> Warning no default label for /tmp/foo
> $ restorecon -R /tmp/foo
> Warning no default label for /tmp/foo
> $ restorecon -R /tmp

Thanks again!

restorecon works as advertised.  I notice there are some other
spurious messages from fixfiles on master, which I didn't see before.
I suspect in passing, you in particular might know where they came
from :-P.  Extract from `fixfiles check`:

filespec hash table stats: 89 elements, 89/65536 buckets used, longest
chain length 1
/dev/tty3 not reset as customized by admin to
unconfined_u:object_r:user_tty_device_t:s0
/dev/tty2 not reset as customized by admin to
unconfined_u:object_r:user_tty_device_t:s0
filespec hash table stats: 558 elements, 558/65536 buckets used,
longest chain length 1

Messages about /dev/tty* are informative; statistics about hash tables are not.

Testing method:

* install selinux to ~/obj, according to README
* backup /sbin/restorecon and /sbin/setfiles
* overwrite them
* run LD_LIBRARY_PATH=~/obj/lib fixfiles check

(I believe fixfiles is running "/sbin/restorecon" or "/sbin/setfiles",
regardless of the install location or current PATH).

(I had some great undefined behaviour, before I realized I needed to
set LD_LIBRARY_PATH.  I've been spoilt by other projects, providing
scripts that magically set LD_LIBRARY_PATH when you try to run
something like restorecon from the build directory).

Re: [PATCH] libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname

[Stephen Smalley]

On Tue, 2017-01-17 at 15:30 +0000, Alan Jenkins wrote:
> On 13/01/2017, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > 
> > $ touch /tmp/foo
> > $ chcon -t etc_t /tmp/foo
> > $ restorecon /tmp/foo
> > Warning no default label for /tmp/foo
> > $ restorecon -R /tmp/foo
> > Warning no default label for /tmp/foo
> > $ restorecon -R /tmp
> 
> Thanks again!
> 
> restorecon works as advertised.  I notice there are some other
> spurious messages from fixfiles on master, which I didn't see before.
> I suspect in passing, you in particular might know where they came
> from :-P.  Extract from `fixfiles check`:
> 
> filespec hash table stats: 89 elements, 89/65536 buckets used,
> longest
> chain length 1

Yes, I'll reduce that to debug level or drop it altogether.

Also, should probably add a logging callback to setfiles/restorecon so
that it can prepend any messages from libselinux with argv[0] so these
don't show up with no indication of the program.

> /dev/tty3 not reset as customized by admin to
> unconfined_u:object_r:user_tty_device_t:s0
> /dev/tty2 not reset as customized by admin to
> unconfined_u:object_r:user_tty_device_t:s0
> filespec hash table stats: 558 elements, 558/65536 buckets used,
> longest chain length 1
> 
> Messages about /dev/tty* are informative; statistics about hash
> tables are not.
> 
> Testing method:
> 
> * install selinux to ~/obj, according to README
> * backup /sbin/restorecon and /sbin/setfiles
> * overwrite them
> * run LD_LIBRARY_PATH=~/obj/lib fixfiles check
> 
> (I believe fixfiles is running "/sbin/restorecon" or
> "/sbin/setfiles",
> regardless of the install location or current PATH).
> 
> (I had some great undefined behaviour, before I realized I needed to
> set LD_LIBRARY_PATH.  I've been spoilt by other projects, providing
> scripts that magically set LD_LIBRARY_PATH when you try to run
> something like restorecon from the build directory).