@@ -26,11 +26,10 @@ void restore_init(struct restore_opts *opts)
r_opts = opts;
struct selinux_opt selinux_opts[] = {
{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_PATH, r_opts->selabel_opt_path }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
if (!r_opts->hnd) {
perror(r_opts->selabel_opt_path);
exit(1);
@@ -44,7 +43,7 @@ void restore_init(struct restore_opts *opts)
r_opts->xdev | r_opts->abort_on_error |
r_opts->syslog_changes | r_opts->log_matches |
r_opts->ignore_noent | r_opts->ignore_mounts |
- r_opts->mass_relabel;
+ r_opts->mass_relabel | r_opts->skip_digest;
/* Use setfiles, restorecon and restorecond own handles */
selinux_restorecon_set_sehandle(r_opts->hnd);
@@ -26,6 +26,7 @@ struct restore_opts {
unsigned int set_specctx;
unsigned int add_assoc;
unsigned int ignore_digest;
+ unsigned int skip_digest;
unsigned int recurse;
unsigned int userealpath;
unsigned int xdev;
@@ -41,7 +42,6 @@ struct restore_opts {
struct selabel_handle *hnd;
const char *selabel_opt_validate;
const char *selabel_opt_path;
- const char *selabel_opt_digest;
int debug;
};
@@ -100,7 +100,7 @@ section for further details.
.B \-D
Set or update any directory SHA1 digests. Use this option to
enable usage of the
-.IR security.restorecon_last
+.IR security.sehash
extended attribute.
.TP
.B \-m
@@ -184,10 +184,10 @@ option to
.B restorecon
will cause it to store a SHA1 digest of the default specfiles set in an extended
attribute named
-.IR security.restorecon_last
-on the directory specified in each
+.IR security.sehash
+on each directory specified in
.IR pathname \ ...
-once the relabeling has been completed successfully. This digest will be
+once the relabeling has been completed successfully. These digests will be
checked should
.B restorecon
.B \-D
@@ -204,7 +204,7 @@ option will ignore the SHA1 digest from each directory specified in
and provided the
.B \-n
option is NOT set and recursive mode is set, files will be relabeled as
-required with the digest then being updated provided there are no errors.
+required with the digests then being updated provided there are no errors.
.SH "AUTHOR"
This man page was written by Dan Walsh <dwalsh@redhat.com>.
@@ -1,7 +1,7 @@
.TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command"
.SH "NAME"
restorecon_xattr \- manage
-.I security.restorecon_last
+.I security.sehash
extended attribute entries added by
.BR setfiles (8)
or
@@ -14,7 +14,6 @@ or
.RB [ \-m ]
.RB [ \-n ]
.RB [ \-r ]
-.RB [ \-v ]
.RB [ \-e
.IR directory ]
.RB [ \-f
@@ -24,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
will display the SHA1 digests added to extended attributes
-.I security.restorecon_last
+.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
or
@@ -43,7 +42,7 @@ from.
and
.B TMPFS
filesystems do not support the
-.I security.restorecon_last
+.I security.sehash
extended attribute and are automatically excluded from searches.
.sp
By default
@@ -62,12 +61,12 @@ option.
.TP
.B \-d
delete all non-matching
-.I security.restorecon_last
+.I security.sehash
directory digest entries.
.TP
.B \-D
delete all
-.I security.restorecon_last
+.I security.sehash
directory digest entries.
.TP
.B \-m
@@ -86,9 +85,6 @@ Do not append "Match" or "No Match" to displayed digests.
.B \-r
recursively descend directories.
.TP
-.B \-v
-display SHA1 digest generated by specfile set.
-.TP
.B \-e
.I directory
.br
@@ -101,11 +97,6 @@ an optional
.I specfile
containing file context entries as described in
.BR file_contexts (5).
-This will be used by
-.BR selabel_open (3)
-to retrieve the set of labeling entries, with the SHA1 digest being
-retrieved by
-.BR selabel_digest (3).
If the option is not specified, then the default file_contexts will be used.
.SH "ARGUMENTS"
@@ -17,9 +17,8 @@
static __attribute__((__noreturn__)) void usage(const char *progname)
{
fprintf(stderr,
- "\nusage: %s [-vnrmdD] [-e directory] [-f specfile] pathname\n"
+ "\nusage: %s [-nrmdD] [-e directory] [-f specfile] pathname\n"
"\nWhere:\n\t"
- "-v Display digest generated by specfile set.\n\t"
"-n Do not append \"Match\" or \"No Match\" to displayed digests.\n\t"
"-r Recursively descend directories.\n\t"
"-m Do not read /proc/mounts for entries to be excluded.\n\t"
@@ -27,7 +26,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
"-D Delete all digest entries.\n\t"
"-e Directory to exclude (repeat option for more than one directory).\n\t"
"-f Optional specfile for calculating the digest.\n\t"
- "pathname Path to search for xattr \"security.restorecon_last\" entries.\n\n",
+ "pathname Path to search for xattr \"security.sehash\" entries.\n\n",
progname);
exit(-1);
}
@@ -37,10 +36,7 @@ int main(int argc, char **argv)
int opt, rc;
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
- bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL;
- unsigned char *fc_digest = NULL;
- size_t i, fc_digest_len = 0, num_specfiles;
+ char *fc_file = NULL;
struct stat sb;
struct selabel_handle *hnd = NULL;
@@ -59,11 +55,8 @@ int main(int argc, char **argv)
exclude_list = NULL;
- while ((opt = getopt(argc, argv, "vnrmdDe:f:")) > 0) {
+ while ((opt = getopt(argc, argv, "nrmdDe:f:")) > 0) {
switch (opt) {
- case 'v':
- display_digest = true;
- break;
case 'n':
no_comment = false;
break;
@@ -103,59 +96,18 @@ int main(int argc, char **argv)
}
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_PATH, fc_file },
- { SELABEL_OPT_DIGEST, (char *)1 }
+ { SELABEL_OPT_PATH, fc_file }
};
- hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
+ hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 1);
if (!hnd) {
- switch (errno) {
- case EOVERFLOW:
- fprintf(stderr, "Error: Number of specfiles or"
- " specfile buffer caused an overflow.\n");
- break;
- default:
- fprintf(stderr, "Error: selabel_open: %s\n",
- strerror(errno));
- }
- exit(-1);
+ fprintf(stderr, "Error: selabel_open - Could not obtain handle.\n");
+ return -1;
}
/* Use own handle as need to allow different file_contexts. */
selinux_restorecon_set_sehandle(hnd);
- if (display_digest) {
- if (selabel_digest(hnd, &fc_digest, &fc_digest_len,
- &specfiles, &num_specfiles) < 0) {
- fprintf(stderr,
- "Error: selabel_digest: Digest not available.\n");
- selabel_close(hnd);
- exit(-1);
- }
-
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
- fprintf(stderr,
- "Error allocating digest buffer: %s\n",
- strerror(errno));
- selabel_close(hnd);
- exit(-1);
- }
-
- for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
-
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
-
- printf("calculated using the following specfile(s):\n");
- if (specfiles) {
- for (i = 0; i < num_specfiles; i++)
- printf("%s\n", specfiles[i]);
- }
- free(sha1_buf);
- printf("\n");
- }
-
if (exclude_list)
selinux_restorecon_set_exclude_list
((const char **)exclude_list);
@@ -211,6 +163,8 @@ int main(int argc, char **argv)
free(current);
current = next;
}
+ } else {
+ printf("No digests available\n");
}
rc = 0;
@@ -90,7 +90,7 @@ section for further details.
.B \-D
Set or update any directory SHA1 digests. Use this option to
enable usage of the
-.IR security.restorecon_last
+.IR security.sehash
extended attribute.
.TP
.B \-l
@@ -228,10 +228,10 @@ option to
will cause it to store a SHA1 digest of the
.B spec_file
set in an extended attribute named
-.IR security.restorecon_last
-on the directory specified in each
+.IR security.sehash
+on each directory specified in
.IR pathname \ ...
-once the relabeling has been completed successfully. This digest will be
+once the relabeling has been completed successfully. These digests will be
checked should
.B setfiles
.B \-D
@@ -250,7 +250,7 @@ option will ignore the SHA1 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
-option is NOT set, files will be relabeled as required with the digest then
+option is NOT set, files will be relabeled as required with the digests then
being updated provided there are no errors.
.SH "AUTHOR"
@@ -17,7 +17,6 @@
static char *policyfile;
static int warn_no_match;
static int null_terminated;
-static int request_digest;
static struct restore_opts r_opts;
static int nerr;
@@ -178,7 +177,6 @@ int main(int argc, char **argv)
altpath = NULL;
null_terminated = 0;
warn_no_match = 0;
- request_digest = 0;
policyfile = NULL;
nerr = 0;
@@ -200,6 +198,7 @@ int main(int argc, char **argv)
* Validates all file contexts at init time.
*/
iamrestorecon = 0;
+ r_opts.skip_digest = SELINUX_RESTORECON_SKIP_DIGEST;
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
@@ -224,6 +223,7 @@ int main(int argc, char **argv)
base, RESTORECON);
iamrestorecon = 1;
+ r_opts.skip_digest = SELINUX_RESTORECON_SKIP_DIGEST;
r_opts.recurse = 0;
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
r_opts.abort_on_error = 0;
@@ -297,17 +297,15 @@ int main(int argc, char **argv)
r_opts.ignore_noent =
SELINUX_RESTORECON_IGNORE_NOENTRY;
break;
- case 'I': /* Force label check by ignoring directory digest. */
+ case 'I': /* Force label check by ignoring directory digest,
+ * then update the digests.
+ */
r_opts.ignore_digest =
SELINUX_RESTORECON_IGNORE_DIGEST;
- request_digest = 1;
+ r_opts.skip_digest = 0;
break;
- case 'D': /*
- * Request file_contexts digest in selabel_open
- * This will effectively enable usage of the
- * security.restorecon_last extended attribute.
- */
- request_digest = 1;
+ case 'D': /* Enable the security.sehash extended attribute. */
+ r_opts.skip_digest = 0;
break;
case 'l':
r_opts.syslog_changes =
@@ -434,7 +432,6 @@ int main(int argc, char **argv)
/* Set selabel_open options. */
r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL);
- r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
r_opts.selabel_opt_path = altpath;
if (nerr)
Update restorecon, setfiles and restorecon_xattr to handle the new digest scheme managed by selinux_restorecon(3). Note that the Russian man pages require updating. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- policycoreutils/setfiles/restore.c | 7 +-- policycoreutils/setfiles/restore.h | 2 +- policycoreutils/setfiles/restorecon.8 | 10 ++-- policycoreutils/setfiles/restorecon_xattr.8 | 19 ++---- policycoreutils/setfiles/restorecon_xattr.c | 66 ++++----------------- policycoreutils/setfiles/setfiles.8 | 10 ++-- policycoreutils/setfiles/setfiles.c | 19 +++--- 7 files changed, 37 insertions(+), 96 deletions(-)