From dfb5c5ef41f696da5224ed28cc60bb47c8bed0fa Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Wed, 13 Jul 2016 18:33:55 +0100

Subject: [PATCH] New API: selinux_relabel - SELinux relabel parts of the

 filesystem.

(cherry picked from commit 9d205f1c284a69390907120ca44f5c723fecc244)

---

 TODO                     |   6 ---

 appliance/packagelist.in |   1 +

 daemon/Makefile.am       |   1 +

 daemon/selinux-relabel.c | 100 +++++++++++++++++++++++++++++++++++++++++++++++

 generator/actions.ml     |  23 +++++++++++

 gobject/Makefile.inc     |   2 +

 po/POTFILES              |   2 +

 src/MAX_PROC_NR          |   2 +-

 8 files changed, 130 insertions(+), 7 deletions(-)

 create mode 100644 daemon/selinux-relabel.c

diff --git a/TODO b/TODO

index 90f6f68..fc20b2a 100644

--- a/TODO

+++ b/TODO

@@ -59,12 +59,6 @@ Ideas for extra commands

   SELinux:

     chcat

-    restorecon

-      [Wanlong Gao submitted patches for restorecon, but

-       there are problems with using the restorecon binary

-       from the host on the guest.  Most of the time it

-       would do more harm than good.]

-    setfiles

   Oddball:

     pivot_root

diff --git a/appliance/packagelist.in b/appliance/packagelist.in

index 6349922..38d39f8 100644

--- a/appliance/packagelist.in

+++ b/appliance/packagelist.in

@@ -42,6 +42,7 @@ ifelse(REDHAT,1,

   ntfs-3g

   openssh-clients

   pcre

+  policycoreutils

   reiserfs-utils

   libselinux

   syslinux-extlinux

diff --git a/daemon/Makefile.am b/daemon/Makefile.am

index 20a6289..ac75439 100644

--- a/daemon/Makefile.am

+++ b/daemon/Makefile.am

@@ -167,6 +167,7 @@ guestfsd_SOURCES = \

 	rsync.c \

 	scrub.c \

 	selinux.c \

+	selinux-relabel.c \

 	sfdisk.c \

 	sh.c \

 	sleep.c \

diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c

new file mode 100644

index 0000000..daafe9e

--- /dev/null

+++ b/daemon/selinux-relabel.c

@@ -0,0 +1,100 @@

+/* libguestfs - the guestfsd daemon

+ * Copyright (C) 2016 Red Hat Inc.

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; either version 2 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this program; if not, write to the Free Software

+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ */

+

+#include <config.h>

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+

+#include "guestfs_protocol.h"

+#include "daemon.h"

+#include "actions.h"

+#include "optgroups.h"

+

+GUESTFSD_EXT_CMD(str_setfiles, setfiles);

+

+#define MAX_ARGS 64

+

+int

+optgroup_selinuxrelabel_available (void)

+{

+  return prog_exists (str_setfiles);

+}

+

+/* Takes optional arguments, consult optargs_bitmask. */

+int

+do_selinux_relabel (const char *specfile, const char *path,

+                    int force)

+{

+  const char *argv[MAX_ARGS];

+  CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL,

+    *s_sys = NULL, *s_specfile = NULL, *s_path = NULL;

+  CLEANUP_FREE char *err = NULL;

+  size_t i = 0;

+

+  s_dev = sysroot_path ("/dev");

+  if (!s_dev) {

+  malloc_error:

+    reply_with_perror ("malloc");

+    return -1;

+  }

+  s_proc = sysroot_path ("/proc");       if (!s_proc) goto malloc_error;

+  s_selinux = sysroot_path ("/selinux"); if (!s_selinux) goto malloc_error;

+  s_sys = sysroot_path ("/sys");         if (!s_sys) goto malloc_error;

+  s_specfile = sysroot_path (specfile);  if (!s_specfile) goto malloc_error;

+  s_path = sysroot_path (path);          if (!s_path) goto malloc_error;

+

+  /* Default settings if not selected. */

+  if (!(optargs_bitmask & GUESTFS_SELINUX_RELABEL_FORCE_BITMASK))

+    force = 0;

+

+  ADD_ARG (argv, i, str_setfiles);

+  if (force)

+    ADD_ARG (argv, i, "-F");

+

+  /* Exclude some directories that should never be relabelled in

+   * ordinary Linux guests.  These won't be mounted anyway.  We have

+   * to prefix all these with the sysroot path.

+   */

+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_dev);

+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_proc);

+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_selinux);

+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_sys);

+

+  /* Relabelling in a chroot. */

+  if (STRNEQ (sysroot, "/")) {

+    ADD_ARG (argv, i, "-r");

+    ADD_ARG (argv, i, sysroot);

+  }

+

+  /* Suppress non-error output. */

+  ADD_ARG (argv, i, "-q");

+

+  /* Add parameters. */

+  ADD_ARG (argv, i, s_specfile);

+  ADD_ARG (argv, i, s_path);

+  ADD_ARG (argv, i, NULL);

+

+  if (commandv (NULL, &err, argv) == -1) {

+    reply_with_perror ("%s", err);

+    return -1;

+  }

+

+  return 0;

+}

diff --git a/generator/actions.ml b/generator/actions.ml

index 998caa5..964a42b 100644

--- a/generator/actions.ml

+++ b/generator/actions.ml

@@ -12753,6 +12753,29 @@ See also L<ntfsresize(8)>, L<resize2fs(8)>, L<btrfs(8)>, L<xfs_info(8)>." };

     longdesc = "\

 This is the internal call which implements C<guestfs_feature_available>." };

+  { defaults with

+    name = "selinux_relabel"; added = (1, 33, 43);

+    style = RErr, [String "specfile"; Pathname "path"], [OBool "force"];

+    proc_nr = Some 467;

+    optional = Some "selinuxrelabel";

+    test_excuse = "tests are in the tests/relabel directory";

+    shortdesc = "relabel parts of the filesystem";

+    longdesc = "\

+SELinux relabel parts of the filesystem.

+

+The C<specfile> parameter controls the policy spec file used.

+You have to parse C</etc/selinux/config> to find the correct

+SELinux policy and then pass the spec file, usually:

+C</etc/selinux/> + I<selinuxtype> + C</contexts/files/file_contexts>.

+

+The required C<path> parameter is the top level directory where

+relabelling starts.  Normally you should pass C<path> as C

+to relabel the whole guest filesystem.

+

+The optional C<force> boolean controls whether the context

+is reset for customizable files, and also whether the

+user, role and range parts of the file context is changed." };

+

 ]

 (* Non-API meta-commands available only in guestfish.

diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc

index 4b99a78..349f650 100644

--- a/gobject/Makefile.inc

+++ b/gobject/Makefile.inc

@@ -96,6 +96,7 @@ guestfs_gobject_headers= \

   include/guestfs-gobject/optargs-rsync.h \

   include/guestfs-gobject/optargs-rsync_in.h \

   include/guestfs-gobject/optargs-rsync_out.h \

+  include/guestfs-gobject/optargs-selinux_relabel.h \

   include/guestfs-gobject/optargs-set_e2attrs.h \

   include/guestfs-gobject/optargs-syslinux.h \

   include/guestfs-gobject/optargs-tar_in.h \

@@ -182,6 +183,7 @@ guestfs_gobject_sources= \

   src/optargs-rsync.c \

   src/optargs-rsync_in.c \

   src/optargs-rsync_out.c \

+  src/optargs-selinux_relabel.c \

   src/optargs-set_e2attrs.c \

   src/optargs-syslinux.c \

   src/optargs-tar_in.c \

diff --git a/po/POTFILES b/po/POTFILES

index bef6540..98d4623 100644

--- a/po/POTFILES

+++ b/po/POTFILES

@@ -94,6 +94,7 @@ daemon/realpath.c

 daemon/rename.c

 daemon/rsync.c

 daemon/scrub.c

+daemon/selinux-relabel.c

 daemon/selinux.c

 daemon/sfdisk.c

 daemon/sh.c

@@ -221,6 +222,7 @@ gobject/src/optargs-remount.c

 gobject/src/optargs-rsync.c

 gobject/src/optargs-rsync_in.c

 gobject/src/optargs-rsync_out.c

+gobject/src/optargs-selinux_relabel.c

 gobject/src/optargs-set_e2attrs.c

 gobject/src/optargs-syslinux.c

 gobject/src/optargs-tar_in.c

diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR

index c92ddb6..5873851 100644

--- a/src/MAX_PROC_NR

+++ b/src/MAX_PROC_NR

@@ -1 +1 @@

-458

+467

-- 

1.8.3.1