|
|
afc235 |
From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
|
|
|
afc235 |
From: Petr Lautrbach <plautrba@redhat.com>
|
|
|
afc235 |
Date: Wed, 13 Jan 2021 22:09:47 +0100
|
|
|
afc235 |
Subject: [PATCH] setfiles: Do not abort on labeling error
|
|
|
afc235 |
|
|
|
afc235 |
Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
|
|
|
afc235 |
selinux_restorecon") changed behavior of setfiles. Original
|
|
|
afc235 |
implementation skipped files which it couldn't set context to while the
|
|
|
afc235 |
new implementation aborts on them. setfiles should abort only if it
|
|
|
afc235 |
can't validate a context from spec_file.
|
|
|
afc235 |
|
|
|
afc235 |
Reproducer:
|
|
|
afc235 |
|
|
|
afc235 |
# mkdir -p r/1 r/2 r/3
|
|
|
afc235 |
# touch r/1/1 r/2/1
|
|
|
afc235 |
# chattr +i r/2/1
|
|
|
afc235 |
# touch r/3/1
|
|
|
afc235 |
# setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
|
|
|
afc235 |
Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
|
|
|
afc235 |
Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
|
|
|
afc235 |
setfiles: Could not set context for r/2/1: Operation not permitted
|
|
|
afc235 |
|
|
|
afc235 |
r/3 and r/1 are not relabeled.
|
|
|
afc235 |
|
|
|
afc235 |
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
|
|
afc235 |
---
|
|
|
afc235 |
policycoreutils/setfiles/setfiles.c | 4 +---
|
|
|
afc235 |
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
afc235 |
|
|
|
afc235 |
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
|
|
afc235 |
index bc83c27b4c06..68eab45aa2b4 100644
|
|
|
afc235 |
--- a/policycoreutils/setfiles/setfiles.c
|
|
|
afc235 |
+++ b/policycoreutils/setfiles/setfiles.c
|
|
|
afc235 |
@@ -182,6 +182,7 @@ int main(int argc, char **argv)
|
|
|
afc235 |
policyfile = NULL;
|
|
|
afc235 |
nerr = 0;
|
|
|
afc235 |
|
|
|
afc235 |
+ r_opts.abort_on_error = 0;
|
|
|
afc235 |
r_opts.progname = strdup(argv[0]);
|
|
|
afc235 |
if (!r_opts.progname) {
|
|
|
afc235 |
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
|
|
|
afc235 |
@@ -194,7 +195,6 @@ int main(int argc, char **argv)
|
|
|
afc235 |
* setfiles:
|
|
|
afc235 |
* Recursive descent,
|
|
|
afc235 |
* Does not expand paths via realpath,
|
|
|
afc235 |
- * Aborts on errors during the file tree walk,
|
|
|
afc235 |
* Try to track inode associations for conflict detection,
|
|
|
afc235 |
* Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
|
|
|
afc235 |
* Validates all file contexts at init time.
|
|
|
afc235 |
@@ -202,7 +202,6 @@ int main(int argc, char **argv)
|
|
|
afc235 |
iamrestorecon = 0;
|
|
|
afc235 |
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
|
|
|
afc235 |
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
|
|
|
afc235 |
- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
|
|
|
afc235 |
r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
|
|
|
afc235 |
/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
|
|
|
afc235 |
r_opts.xdev = SELINUX_RESTORECON_XDEV;
|
|
|
afc235 |
@@ -226,7 +225,6 @@ int main(int argc, char **argv)
|
|
|
afc235 |
iamrestorecon = 1;
|
|
|
afc235 |
r_opts.recurse = 0;
|
|
|
afc235 |
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
|
|
|
afc235 |
- r_opts.abort_on_error = 0;
|
|
|
afc235 |
r_opts.add_assoc = 0;
|
|
|
afc235 |
r_opts.xdev = 0;
|
|
|
afc235 |
r_opts.ignore_mounts = 0;
|
|
|
afc235 |
--
|
|
|
afc235 |
2.30.0
|
|
|
afc235 |
|