From patchwork Wed Aug 24 12:55:16 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 9297629 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4F8DA607D0 for ; Wed, 24 Aug 2016 12:55:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3EAD428FB4 for ; Wed, 24 Aug 2016 12:55:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 333BA28FB9; Wed, 24 Aug 2016 12:55:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C8E1E28FB4 for ; Wed, 24 Aug 2016 12:55:32 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,570,1464652800"; d="scan'208";a="18711786" IronPort-PHdr: =?us-ascii?q?9a23=3AZFB7gBEbDiagr2M6b6vosZ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ75r8qwAkXT6L1XgUPTWs2DsrQf2rOQ6P6rBDdIoc7Y9itTKNoUD15NoP?= =?us-ascii?q?5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blIt?= =?us-ascii?q?dazLE4Lfx/66y/q1s8WKJV4Z3XzmP/gvd1329VyX7ZhOx9M6a+4Y8VjgmjNwYe?= =?us-ascii?q?NYxGdldxq4vi3XwYOOxqNl6DlaoPk79sRNAu3QdqU8SqFEXnx9azhmrPDxsVH/?= =?us-ascii?q?aSfHpj5FCiRF2iZPVhPI6BD8Q4fZrjrxtu073jKTe8LxU+MaQzOnup1qQx/hki?= =?us-ascii?q?tPFzc49mzMwphqjalbqQitkBdIw4fVZoyOHPBif6XBcMkcSHYHVcFUAX8SSrig?= =?us-ascii?q?ZpcCWrJSdd1TqJPw8h5X9RY=3D?= X-IPAS-Result: =?us-ascii?q?A2GoAgCSmL1X/wHyM5BdGwEBAYMLAQEBAQEegVK5TDkgh0l?= =?us-ascii?q?MAQEBAQEBAQIBAlsngjIEAxMFPgoyAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEPAghIAQEhAiQTBgENIAwCAwkCBRIpCAgDAS0VHwsFGASHdgEDFwSzZAWBAod?= =?us-ascii?q?HgxYDCIQiiRuBTxEBgmYLgmodBY4fiymPJIFriAMMhVRIhiGJUFSBTzkNHIFNb?= =?us-ascii?q?4YheIEnAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 24 Aug 2016 12:55:30 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7OCtTpH022132; Wed, 24 Aug 2016 08:55:29 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7OCtRC1167487 for ; Wed, 24 Aug 2016 08:55:27 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7OCtRnH022130 for ; Wed, 24 Aug 2016 08:55:27 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CBAwDHmL1XhnsAFEFdGwEBAYMLAQEBAQGBcKRZBJEihA2GHYFFTAEBAQEBAQECEwEBAQoJCwkZhRQqGQE4ARWBO4gXAQMXBLNlBYECh0eDFgMIhCKJG4RHC4JqHQWOH4spjySBa4gPhVRIhiGJUIIXRQ0RC4FNb4hAAQEB X-IPAS-Result: A1CBAwDHmL1XhnsAFEFdGwEBAYMLAQEBAQGBcKRZBJEihA2GHYFFTAEBAQEBAQECEwEBAQoJCwkZhRQqGQE4ARWBO4gXAQMXBLNlBYECh0eDFgMIhCKJG4RHC4JqHQWOH4spjySBa4gPhVRIhiGJUIIXRQ0RC4FNb4hAAQEB X-IronPort-AV: E=Sophos;i="5.28,570,1464667200"; d="scan'208";a="5662620" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 24 Aug 2016 08:55:26 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A9A0ClxbPM/Sln2L4+TUJcMv/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpcu7bnLW6fgltlLVR4KTs6sC0LuP9fu+EjFbqdbZ6TZZIcQKD0dEwe?= =?us-ascii?q?wt3CUYSPafDkP6KPO4JwcbJ+9lEGFfwnegLEJOE9z/bVCB6le77DoVBwmtfVEt?= =?us-ascii?q?fre9JIfegoyN2vyo/NWLOkMT1WP7Ou05cU7+7V2I8JJH2c06cud54yCKi0MAQ/?= =?us-ascii?q?5Ry2JsKADbtDfHzeD0wqRe9T9Nsekq7c9KXPayVa05SbtFEGZuaDhtt4W4/SXE?= =?us-ascii?q?GBCC4noaT3U+jgtDAw+D6grzGJj2rHjUrO14jRObNs3/V7x8eT2j6apwAEvyiS?= =?us-ascii?q?wHPiQ1x2rgisVxiq9AiBi9phpjzpTSbZ3TP/17KPCONegGTHZMC54CHxdKBZmx?= =?us-ascii?q?OtMC?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HjAgCSmL1XhnsAFEFdGwEBAYMLAQEBA?= =?us-ascii?q?QGBcKRZBJEig01Ahh2BRUwBAQEBAQEBAgECEAEBAQoJCwkZL4IyGEUKMgEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBAQEBAQEBAQEBAQEBDwIISAEBHSoZATgBFYE7iBcBAxcEs2QFg?= =?us-ascii?q?QKHR4MWAwiEIokbhEcLgmodBY4fiymPJIFriA+FVEiGIYlQghdFDRELgU1viEA?= =?us-ascii?q?BAQE?= X-IPAS-Result: =?us-ascii?q?A0HjAgCSmL1XhnsAFEFdGwEBAYMLAQEBAQGBcKRZBJEig01?= =?us-ascii?q?Ahh2BRUwBAQEBAQEBAgECEAEBAQoJCwkZL4IyGEUKMgEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBDwIISAEBHSoZATgBFYE7iBcBAxcEs2QFgQKHR4MWAwiEIok?= =?us-ascii?q?bhEcLgmodBY4fiymPJIFriA+FVEiGIYlQghdFDRELgU1viEABAQE?= X-IronPort-AV: E=Sophos;i="5.28,570,1464652800"; d="scan'208";a="16888983" Received: from rgout0103.bt.lon5.cpcloud.co.uk ([65.20.0.123]) by emsm-gh1-uea10.nsa.gov with ESMTP; 24 Aug 2016 12:55:25 +0000 X-OWM-Source-IP: 86.147.52.137 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2016.8.24.115116:17:7.944, ip=86.147.52.137, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, RDNS_SUSP_GENERIC, __FRAUD_WEBMAIL, __PHISH_SPEAR_STRUCTURE_1, __FROM_DOMAIN_IN_RCPT, RDNS_SUSP, NO_URI_HTTPS, __CC_REAL_NAMES Received: from localhost.localdomain (86.147.52.137) by rgout01.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as richard_c_haines@btinternet.com) id 57BD2D0E000C0647; Wed, 24 Aug 2016 13:55:22 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1472043326; bh=Rdt3Dy2wkYlwbMDRhAXBVz8M47IKz84L64HRbNvqmTo=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=K5waUnKUSGJIhhnIkb9kS/Ts769LyHj7prxsQJRZyfN9TqJu5RHokEuJI9u2yAT4dew9p6r00hNh9xBA35UnX0giFtqI4JpVn3akFN9dXRdCxqlpiNT9cMwbeojpY6AESxHN9PpmhQEKrWaJQlXuYyDoz53v72KGwPQQVy60RHQ= From: Richard Haines To: selinux@tycho.nsa.gov Subject: [PATCH 2/2] policycoreutils: setfiles - Add option to ignore restorecon_last Date: Wed, 24 Aug 2016 13:55:16 +0100 Message-Id: <1472043316-28973-1-git-send-email-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Add -x option to restorecon(8) and setfiles(8) to ignore the "security.restorecon_last" extended attribute. Signed-off-by: Richard Haines --- policycoreutils/setfiles/restore.c | 5 +++-- policycoreutils/setfiles/restore.h | 2 ++ policycoreutils/setfiles/restorecon.8 | 14 ++++++++++++-- policycoreutils/setfiles/setfiles.8 | 12 +++++++++++- policycoreutils/setfiles/setfiles.c | 19 ++++++++++++------- 5 files changed, 40 insertions(+), 12 deletions(-) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index cf04e96..8ecb087 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c @@ -7,7 +7,7 @@ #include char **exclude_list; -int exclude_count; +static int exclude_count; struct restore_opts *r_opts; @@ -35,7 +35,8 @@ void restore_init(struct restore_opts *opts) r_opts->recurse | r_opts->userealpath | r_opts->xdev | r_opts->abort_on_error | r_opts->syslog_changes | r_opts->log_matches | - r_opts->ignore_noent | r_opts->ignore_mounts; + r_opts->ignore_noent | r_opts->ignore_mounts | + r_opts->ignore_xattr; /* Use setfiles, restorecon and restorecond own handles */ selinux_restorecon_set_sehandle(r_opts->hnd); diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h index bafb662..ad652bb 100644 --- a/policycoreutils/setfiles/restore.h +++ b/policycoreutils/setfiles/restore.h @@ -40,6 +40,7 @@ struct restore_opts { unsigned int log_matches; unsigned int ignore_noent; unsigned int ignore_mounts; + unsigned int ignore_xattr; /* restorecon_flags holds | of above for restore_init() */ unsigned int restorecon_flags; char *rootpath; @@ -56,5 +57,6 @@ void restore_init(struct restore_opts *opts); void restore_finish(void); void add_exclude(const char *directory); int process_glob(char *name, struct restore_opts *opts); +extern char **exclude_list; #endif diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index 4851f0f..e913e53 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts. .SH "SYNOPSIS" .B restorecon -.I [\-R] [\-m] [\-n] [\-p] [\-v] [\-I] [\-e directory] pathname... +.I [\-R] [\-m] [\-n] [\-p] [\-v] [\-I] [\-x] [\-e directory] pathname... .P .B restorecon -.I \-f infilename [\-e directory] [\-R] [\-m] [\-n] [\-p] [\-v] [\-F] [\-I] +.I \-f infilename [\-e directory] [\-R] [\-m] [\-n] [\-p] [\-v] [\-F] [\-I] [\-x] .SH "DESCRIPTION" This manual page describes the @@ -56,6 +56,14 @@ there are no errors. See the .B NOTES section for further details. .TP +.B \-x +do not check or update any directory SHA1 digests. Use this option to +effectively disable usage of the +.IR security.restorecon_last +extended attribute. Note that using this option will override the +.B \-I +option. +.TP .B \-m do not read .B /proc/mounts @@ -151,6 +159,8 @@ option will ignore the SHA1 digest from each directory specified in .B pathname... and provided the .B \-n +option is NOT set and the +.B \-x option is NOT set and recursive mode is set, files will be relabeled as required with the digest then being updated provided there are no errors. diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 index 35e38b2..b90f381 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts. .SH "SYNOPSIS" .B setfiles -.I [\-c policy] [\-d] [\-l] [\-m] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] [\-I] spec_file pathname... +.I [\-c policy] [\-d] [\-l] [\-m] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] [\-I] [\-x] spec_file pathname... .SH "DESCRIPTION" This manual page describes the .BR setfiles @@ -57,6 +57,14 @@ there are no errors. See the .B NOTES section for further details. .TP +.B \-x +do not check or update any directory SHA1 digests. Use this option to +effectively disable usage of the +.IR security.restorecon_last +extended attribute. Note that using this option will override the +.B \-I +option. +.TP .B \-l log changes in file labels to syslog. .TP @@ -190,6 +198,8 @@ option will ignore the SHA1 digest from each directory specified in .B pathname... and provided the .B \-n +option is NOT set and the +.B \-x option is NOT set, files will be relabeled as required with the digest then being updated provided there are no errors. diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index b700228..cf71d21 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -42,14 +42,14 @@ void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, - "usage: %s [-iIFmnprRv0] [-e excludedir] pathname...\n" - "usage: %s [-iIFmnprRv0] [-e excludedir] -f filename\n", + "usage: %s [-iIFmnprRvx0] [-e excludedir] pathname...\n" + "usage: %s [-iIFmnprRvx0] [-e excludedir] -f filename\n", name, name); } else { fprintf(stderr, - "usage: %s [-diIlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" - "usage: %s [-diIlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" - "usage: %s -s [-diIlmnpqvFW] spec_file\n" + "usage: %s [-diIlmnpqvxFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" + "usage: %s [-diIlmnpqvxFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" + "usage: %s -s [-diIlmnpqvxFW] spec_file\n" "usage: %s -c policyfile spec_file\n", name, name, name, name); } @@ -147,8 +147,8 @@ int main(int argc, char **argv) size_t buf_len; const char *base; int mass_relabel = 0, errors = 0; - const char *ropts = "e:f:hiIlmno:pqrsvFRW0"; - const char *sopts = "c:de:f:hiIlmno:pqr:svFR:W0"; + const char *ropts = "e:f:hiIlmno:pqrsvxFRW0"; + const char *sopts = "c:de:f:hiIlmno:pqr:svxFR:W0"; const char *opts; /* Initialize variables */ @@ -184,6 +184,7 @@ int main(int argc, char **argv) /* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */ r_opts.xdev = SELINUX_RESTORECON_XDEV; r_opts.ignore_mounts = 0; /* SELINUX_RESTORECON_IGNORE_MOUNTS */ + r_opts.ignore_xattr = 0; /* SELINUX_RESTORECON_IGNORE_XATTR */ ctx_validate = 1; opts = sopts; } else { @@ -207,6 +208,7 @@ int main(int argc, char **argv) r_opts.add_assoc = 0; r_opts.xdev = 0; r_opts.ignore_mounts = 0; + r_opts.ignore_xattr = 0; ctx_validate = 0; opts = ropts; @@ -356,6 +358,9 @@ int main(int argc, char **argv) } r_opts.progress = SELINUX_RESTORECON_PROGRESS; break; + case 'x': + r_opts.ignore_xattr = SELINUX_RESTORECON_IGNORE_XATTR; + break; case 'W': warn_no_match = 1; /* Print selabel_stats() */ break;