* [PATCH] Add restorecon -x opt to not cross FS boundaries (cf github #208)
@ 2020-05-26 17:02 Peter Whittaker
2020-05-29 14:22 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Peter Whittaker @ 2020-05-26 17:02 UTC (permalink / raw)
To: selinux; +Cc: Peter Whittaker
Folks, this patch adds and documents a "-x" option for restorecon
to prevent it from crossing file system boundaries, as requested
in github issue #208.
P
Signed-off-by: Peter Whittaker <pww@edgekeep.com>
---
policycoreutils/setfiles/restorecon.8 | 7 +++++++
policycoreutils/setfiles/setfiles.c | 11 +++++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index bbfc83fe..0d1930de 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
+.RB [ \-x ]
.RB [ \-e
.IR directory ]
.IR pathname \ ...
@@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
+.RB [ \-x ]
.SH "DESCRIPTION"
This manual page describes the
@@ -153,6 +155,11 @@ option of GNU
.B find
produces input suitable for this mode.
.TP
+.B \-x
+prevent
+.B restorecon
+from crossing file system boundaries.
+.TP
.SH "ARGUMENTS"
.IR pathname \ ...
The pathname for the file(s) to be relabeled.
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 16bd592c..afd579e3 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
- "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
+ "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
+ "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
name, name);
} else {
fprintf(stderr,
@@ -386,6 +386,13 @@ int main(int argc, char **argv)
case '0':
null_terminated = 1;
break;
+ case 'x':
+ if (iamrestorecon) {
+ r_opts.xdev = SELINUX_RESTORECON_XDEV;
+ } else {
+ usage(argv[0]);
+ }
+ break;
case 'h':
case '?':
usage(argv[0]);
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Add restorecon -x opt to not cross FS boundaries (cf github #208)
2020-05-26 17:02 [PATCH] Add restorecon -x opt to not cross FS boundaries (cf github #208) Peter Whittaker
@ 2020-05-29 14:22 ` Stephen Smalley
2020-05-29 14:33 ` Peter Whittaker
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-05-29 14:22 UTC (permalink / raw)
To: Peter Whittaker; +Cc: SElinux list
On Tue, May 26, 2020 at 1:04 PM Peter Whittaker <pww@edgekeep.com> wrote:
>
> Folks, this patch adds and documents a "-x" option for restorecon
> to prevent it from crossing file system boundaries, as requested
> in github issue #208.
>
> P
>
> Signed-off-by: Peter Whittaker <pww@edgekeep.com>
You didn't update the actual ropts string so restorecon -x fails even
after this patch.
Did you test your change?
In your patch description, you can put the following line before your
Signed-off-by
and drop the separate references to github issue #208 in the subject
line and body:
Fixes: https://github.com/SELinuxProject/selinux/issues/208
> ---
> policycoreutils/setfiles/restorecon.8 | 7 +++++++
> policycoreutils/setfiles/setfiles.c | 11 +++++++++--
> 2 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index bbfc83fe..0d1930de 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts.
> .RB [ \-F ]
> .RB [ \-W ]
> .RB [ \-I | \-D ]
> +.RB [ \-x ]
> .RB [ \-e
> .IR directory ]
> .IR pathname \ ...
> @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts.
> .RB [ \-F ]
> .RB [ \-W ]
> .RB [ \-I | \-D ]
> +.RB [ \-x ]
>
> .SH "DESCRIPTION"
> This manual page describes the
> @@ -153,6 +155,11 @@ option of GNU
> .B find
> produces input suitable for this mode.
> .TP
> +.B \-x
> +prevent
> +.B restorecon
> +from crossing file system boundaries.
> +.TP
> .SH "ARGUMENTS"
> .IR pathname \ ...
> The pathname for the file(s) to be relabeled.
> diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
> index 16bd592c..afd579e3 100644
> --- a/policycoreutils/setfiles/setfiles.c
> +++ b/policycoreutils/setfiles/setfiles.c
> @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
> {
> if (iamrestorecon) {
> fprintf(stderr,
> - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
> - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
> + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
> + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
> name, name);
> } else {
> fprintf(stderr,
> @@ -386,6 +386,13 @@ int main(int argc, char **argv)
> case '0':
> null_terminated = 1;
> break;
> + case 'x':
> + if (iamrestorecon) {
> + r_opts.xdev = SELINUX_RESTORECON_XDEV;
> + } else {
> + usage(argv[0]);
> + }
> + break;
> case 'h':
> case '?':
> usage(argv[0]);
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Add restorecon -x opt to not cross FS boundaries (cf github #208)
2020-05-29 14:22 ` Stephen Smalley
@ 2020-05-29 14:33 ` Peter Whittaker
0 siblings, 0 replies; 3+ messages in thread
From: Peter Whittaker @ 2020-05-29 14:33 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SElinux list
My test infrastructure has been, uh, limited, so far (working with
some, uh, restrictions). I'll take the time to build a complete test
system, reapply, test, then resubmit. Thanks for the advice on
including the URL, much cleaner.
Thanks,
P
Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP
On Fri, May 29, 2020 at 10:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, May 26, 2020 at 1:04 PM Peter Whittaker <pww@edgekeep.com> wrote:
> >
> > Folks, this patch adds and documents a "-x" option for restorecon
> > to prevent it from crossing file system boundaries, as requested
> > in github issue #208.
> >
> > P
> >
> > Signed-off-by: Peter Whittaker <pww@edgekeep.com>
>
> You didn't update the actual ropts string so restorecon -x fails even
> after this patch.
> Did you test your change?
> In your patch description, you can put the following line before your
> Signed-off-by
> and drop the separate references to github issue #208 in the subject
> line and body:
> Fixes: https://github.com/SELinuxProject/selinux/issues/208
>
> > ---
> > policycoreutils/setfiles/restorecon.8 | 7 +++++++
> > policycoreutils/setfiles/setfiles.c | 11 +++++++++--
> > 2 files changed, 16 insertions(+), 2 deletions(-)
> >
> > diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> > index bbfc83fe..0d1930de 100644
> > --- a/policycoreutils/setfiles/restorecon.8
> > +++ b/policycoreutils/setfiles/restorecon.8
> > @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts.
> > .RB [ \-F ]
> > .RB [ \-W ]
> > .RB [ \-I | \-D ]
> > +.RB [ \-x ]
> > .RB [ \-e
> > .IR directory ]
> > .IR pathname \ ...
> > @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts.
> > .RB [ \-F ]
> > .RB [ \-W ]
> > .RB [ \-I | \-D ]
> > +.RB [ \-x ]
> >
> > .SH "DESCRIPTION"
> > This manual page describes the
> > @@ -153,6 +155,11 @@ option of GNU
> > .B find
> > produces input suitable for this mode.
> > .TP
> > +.B \-x
> > +prevent
> > +.B restorecon
> > +from crossing file system boundaries.
> > +.TP
> > .SH "ARGUMENTS"
> > .IR pathname \ ...
> > The pathname for the file(s) to be relabeled.
> > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
> > index 16bd592c..afd579e3 100644
> > --- a/policycoreutils/setfiles/setfiles.c
> > +++ b/policycoreutils/setfiles/setfiles.c
> > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
> > {
> > if (iamrestorecon) {
> > fprintf(stderr,
> > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
> > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
> > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
> > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
> > name, name);
> > } else {
> > fprintf(stderr,
> > @@ -386,6 +386,13 @@ int main(int argc, char **argv)
> > case '0':
> > null_terminated = 1;
> > break;
> > + case 'x':
> > + if (iamrestorecon) {
> > + r_opts.xdev = SELINUX_RESTORECON_XDEV;
> > + } else {
> > + usage(argv[0]);
> > + }
> > + break;
> > case 'h':
> > case '?':
> > usage(argv[0]);
> > --
> > 2.20.1
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-29 14:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-26 17:02 [PATCH] Add restorecon -x opt to not cross FS boundaries (cf github #208) Peter Whittaker
2020-05-29 14:22 ` Stephen Smalley
2020-05-29 14:33 ` Peter Whittaker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).