|
 |
205b72 |
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
|
|
|
205b72 |
From: Antoine Tenart <antoine.tenart@bootlin.com>
|
|
|
205b72 |
Date: Tue, 7 Jul 2020 16:35:01 +0200
|
|
|
205b72 |
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
|
|
|
205b72 |
binary policy
|
|
|
205b72 |
|
|
|
205b72 |
The -c option allows to check the validity of contexts against a
|
|
|
205b72 |
specified binary policy. Its use is restricted: no pathname can be used
|
|
|
205b72 |
when a binary policy is given to setfiles. It's not clear if this is
|
|
|
205b72 |
intentional as the built-in help and the man page are not stating the
|
|
|
205b72 |
same thing about this (the man page document -c as a normal option,
|
|
|
205b72 |
while the built-in help shows it is restricted).
|
|
|
205b72 |
|
|
|
205b72 |
When generating full system images later used with SELinux in enforcing
|
|
|
205b72 |
mode, the extended attributed of files have to be set by the build
|
|
|
205b72 |
machine. The issue is setfiles always checks the contexts against a
|
|
|
205b72 |
policy (ctx_validate = 1) and using an external binary policy is not
|
|
|
205b72 |
currently possible when using a pathname. This ends up in setfiles
|
|
|
205b72 |
failing early as the contexts of the target image are not always
|
|
|
205b72 |
compatible with the ones of the build machine.
|
|
|
205b72 |
|
|
|
205b72 |
This patch reworks a check on optind only made when -c is used, that
|
|
|
205b72 |
enforced the use of a single argument to allow 1+ arguments, allowing to
|
|
|
205b72 |
use setfiles with an external binary policy and pathnames. The following
|
|
|
205b72 |
command is then allowed, as already documented in the man page:
|
|
|
205b72 |
|
|
|
205b72 |
$ setfiles -m -r target/ -c policy.32 file_contexts target/
|
|
|
205b72 |
|
|
|
205b72 |
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
|
|
|
205b72 |
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
|
205b72 |
|
|
|
205b72 |
(cherry-picked from SElinuxProject
|
|
|
205b72 |
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
|
|
|
205b72 |
---
|
|
|
205b72 |
policycoreutils/setfiles/setfiles.c | 11 +++++------
|
|
|
205b72 |
1 file changed, 5 insertions(+), 6 deletions(-)
|
|
|
205b72 |
|
|
|
205b72 |
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
|
|
205b72 |
index 82d0aaa7..4fd3d756 100644
|
|
|
205b72 |
--- a/policycoreutils/setfiles/setfiles.c
|
|
|
205b72 |
+++ b/policycoreutils/setfiles/setfiles.c
|
|
|
205b72 |
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
|
|
|
205b72 |
name, name);
|
|
|
205b72 |
} else {
|
|
|
205b72 |
fprintf(stderr,
|
|
|
205b72 |
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
|
|
|
205b72 |
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
|
|
|
205b72 |
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
|
|
|
205b72 |
- "usage: %s -c policyfile spec_file\n",
|
|
|
205b72 |
- name, name, name, name);
|
|
|
205b72 |
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
|
|
|
205b72 |
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
|
|
|
205b72 |
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
|
|
|
205b72 |
+ name, name, name);
|
|
|
205b72 |
}
|
|
|
205b72 |
exit(-1);
|
|
|
205b72 |
}
|
|
|
205b72 |
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
|
|
|
205b72 |
|
|
|
205b72 |
if (!iamrestorecon) {
|
|
|
205b72 |
if (policyfile) {
|
|
|
205b72 |
- if (optind != (argc - 1))
|
|
|
205b72 |
+ if (optind > (argc - 1))
|
|
|
205b72 |
usage(argv[0]);
|
|
|
205b72 |
} else if (use_input_file) {
|
|
|
205b72 |
if (optind != (argc - 1)) {
|
|
|
205b72 |
--
|
|
|
205b72 |
2.30.2
|
|
|
205b72 |
|