Blob Blame History Raw
From dfb5c5ef41f696da5224ed28cc60bb47c8bed0fa Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Wed, 13 Jul 2016 18:33:55 +0100
Subject: [PATCH] New API: selinux_relabel - SELinux relabel parts of the
 filesystem.

(cherry picked from commit 9d205f1c284a69390907120ca44f5c723fecc244)
---
 TODO                     |   6 ---
 appliance/packagelist.in |   1 +
 daemon/Makefile.am       |   1 +
 daemon/selinux-relabel.c | 100 +++++++++++++++++++++++++++++++++++++++++++++++
 generator/actions.ml     |  23 +++++++++++
 gobject/Makefile.inc     |   2 +
 po/POTFILES              |   2 +
 src/MAX_PROC_NR          |   2 +-
 8 files changed, 130 insertions(+), 7 deletions(-)
 create mode 100644 daemon/selinux-relabel.c

diff --git a/TODO b/TODO
index 90f6f68..fc20b2a 100644
--- a/TODO
+++ b/TODO
@@ -59,12 +59,6 @@ Ideas for extra commands
 
   SELinux:
     chcat
-    restorecon
-      [Wanlong Gao submitted patches for restorecon, but
-       there are problems with using the restorecon binary
-       from the host on the guest.  Most of the time it
-       would do more harm than good.]
-    setfiles
 
   Oddball:
     pivot_root
diff --git a/appliance/packagelist.in b/appliance/packagelist.in
index 6349922..38d39f8 100644
--- a/appliance/packagelist.in
+++ b/appliance/packagelist.in
@@ -42,6 +42,7 @@ ifelse(REDHAT,1,
   ntfs-3g
   openssh-clients
   pcre
+  policycoreutils
   reiserfs-utils
   libselinux
   syslinux-extlinux
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 20a6289..ac75439 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -167,6 +167,7 @@ guestfsd_SOURCES = \
 	rsync.c \
 	scrub.c \
 	selinux.c \
+	selinux-relabel.c \
 	sfdisk.c \
 	sh.c \
 	sleep.c \
diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c
new file mode 100644
index 0000000..daafe9e
--- /dev/null
+++ b/daemon/selinux-relabel.c
@@ -0,0 +1,100 @@
+/* libguestfs - the guestfsd daemon
+ * Copyright (C) 2016 Red Hat Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "guestfs_protocol.h"
+#include "daemon.h"
+#include "actions.h"
+#include "optgroups.h"
+
+GUESTFSD_EXT_CMD(str_setfiles, setfiles);
+
+#define MAX_ARGS 64
+
+int
+optgroup_selinuxrelabel_available (void)
+{
+  return prog_exists (str_setfiles);
+}
+
+/* Takes optional arguments, consult optargs_bitmask. */
+int
+do_selinux_relabel (const char *specfile, const char *path,
+                    int force)
+{
+  const char *argv[MAX_ARGS];
+  CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL,
+    *s_sys = NULL, *s_specfile = NULL, *s_path = NULL;
+  CLEANUP_FREE char *err = NULL;
+  size_t i = 0;
+
+  s_dev = sysroot_path ("/dev");
+  if (!s_dev) {
+  malloc_error:
+    reply_with_perror ("malloc");
+    return -1;
+  }
+  s_proc = sysroot_path ("/proc");       if (!s_proc) goto malloc_error;
+  s_selinux = sysroot_path ("/selinux"); if (!s_selinux) goto malloc_error;
+  s_sys = sysroot_path ("/sys");         if (!s_sys) goto malloc_error;
+  s_specfile = sysroot_path (specfile);  if (!s_specfile) goto malloc_error;
+  s_path = sysroot_path (path);          if (!s_path) goto malloc_error;
+
+  /* Default settings if not selected. */
+  if (!(optargs_bitmask & GUESTFS_SELINUX_RELABEL_FORCE_BITMASK))
+    force = 0;
+
+  ADD_ARG (argv, i, str_setfiles);
+  if (force)
+    ADD_ARG (argv, i, "-F");
+
+  /* Exclude some directories that should never be relabelled in
+   * ordinary Linux guests.  These won't be mounted anyway.  We have
+   * to prefix all these with the sysroot path.
+   */
+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_dev);
+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_proc);
+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_selinux);
+  ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_sys);
+
+  /* Relabelling in a chroot. */
+  if (STRNEQ (sysroot, "/")) {
+    ADD_ARG (argv, i, "-r");
+    ADD_ARG (argv, i, sysroot);
+  }
+
+  /* Suppress non-error output. */
+  ADD_ARG (argv, i, "-q");
+
+  /* Add parameters. */
+  ADD_ARG (argv, i, s_specfile);
+  ADD_ARG (argv, i, s_path);
+  ADD_ARG (argv, i, NULL);
+
+  if (commandv (NULL, &err, argv) == -1) {
+    reply_with_perror ("%s", err);
+    return -1;
+  }
+
+  return 0;
+}
diff --git a/generator/actions.ml b/generator/actions.ml
index 998caa5..964a42b 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -12753,6 +12753,29 @@ See also L<ntfsresize(8)>, L<resize2fs(8)>, L<btrfs(8)>, L<xfs_info(8)>." };
     longdesc = "\
 This is the internal call which implements C<guestfs_feature_available>." };
 
+  { defaults with
+    name = "selinux_relabel"; added = (1, 33, 43);
+    style = RErr, [String "specfile"; Pathname "path"], [OBool "force"];
+    proc_nr = Some 467;
+    optional = Some "selinuxrelabel";
+    test_excuse = "tests are in the tests/relabel directory";
+    shortdesc = "relabel parts of the filesystem";
+    longdesc = "\
+SELinux relabel parts of the filesystem.
+
+The C<specfile> parameter controls the policy spec file used.
+You have to parse C</etc/selinux/config> to find the correct
+SELinux policy and then pass the spec file, usually:
+C</etc/selinux/> + I<selinuxtype> + C</contexts/files/file_contexts>.
+
+The required C<path> parameter is the top level directory where
+relabelling starts.  Normally you should pass C<path> as C</>
+to relabel the whole guest filesystem.
+
+The optional C<force> boolean controls whether the context
+is reset for customizable files, and also whether the
+user, role and range parts of the file context is changed." };
+
 ]
 
 (* Non-API meta-commands available only in guestfish.
diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc
index 4b99a78..349f650 100644
--- a/gobject/Makefile.inc
+++ b/gobject/Makefile.inc
@@ -96,6 +96,7 @@ guestfs_gobject_headers= \
   include/guestfs-gobject/optargs-rsync.h \
   include/guestfs-gobject/optargs-rsync_in.h \
   include/guestfs-gobject/optargs-rsync_out.h \
+  include/guestfs-gobject/optargs-selinux_relabel.h \
   include/guestfs-gobject/optargs-set_e2attrs.h \
   include/guestfs-gobject/optargs-syslinux.h \
   include/guestfs-gobject/optargs-tar_in.h \
@@ -182,6 +183,7 @@ guestfs_gobject_sources= \
   src/optargs-rsync.c \
   src/optargs-rsync_in.c \
   src/optargs-rsync_out.c \
+  src/optargs-selinux_relabel.c \
   src/optargs-set_e2attrs.c \
   src/optargs-syslinux.c \
   src/optargs-tar_in.c \
diff --git a/po/POTFILES b/po/POTFILES
index bef6540..98d4623 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -94,6 +94,7 @@ daemon/realpath.c
 daemon/rename.c
 daemon/rsync.c
 daemon/scrub.c
+daemon/selinux-relabel.c
 daemon/selinux.c
 daemon/sfdisk.c
 daemon/sh.c
@@ -221,6 +222,7 @@ gobject/src/optargs-remount.c
 gobject/src/optargs-rsync.c
 gobject/src/optargs-rsync_in.c
 gobject/src/optargs-rsync_out.c
+gobject/src/optargs-selinux_relabel.c
 gobject/src/optargs-set_e2attrs.c
 gobject/src/optargs-syslinux.c
 gobject/src/optargs-tar_in.c
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index c92ddb6..5873851 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-458
+467
-- 
1.8.3.1