[PATCH 06/90] policycoreutils: setfiles: FIXME Allow

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Fri, 01 Jun 2012 14:55:27 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


   This patch looks good to me. acked.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/JEB8ACgkQrlYvE4MpobPvnACg1JmdbCsjXd0J4AeIdjqWJzpl
DnAAoJiemdfzwHTmRGNnjbgpyyv0zIYB
=5bLN
-----END PGP SIGNATURE-----
>From 64f43c6cac022bf93aafa18470a004634394b9c5 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 2 Sep 2011 08:55:47 -0400
Subject: [PATCH 06/90] policycoreutils: setfiles: FIXME Allow
 setfiles/restorecon to take advantage of new subset
 handling in libselinux

Needs review.

Signed-off-by: Dan Walsh <dwalsh@xxxxxxxxxx>
NOT-Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Dan Walsh <dwalsh@xxxxxxxxxx>
---
 libselinux/man/man3/selabel_open.3        |    7 ++--
 policycoreutils/restorecond/restorecond.c |    2 ++
 policycoreutils/scripts/genhomedircon     |    1 +
 policycoreutils/setfiles/restore.c        |   15 ++++++---
 policycoreutils/setfiles/restore.h        |    1 +
 policycoreutils/setfiles/restorecon.8     |   10 ++++--
 policycoreutils/setfiles/setfiles.8       |    5 ++-
 policycoreutils/setfiles/setfiles.c       |   50 ++++++++++++++++++++++++++---
 8 files changed, 76 insertions(+), 15 deletions(-)

diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 89bb4d3..fc5b120 100644
--- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3
@@ -37,8 +37,11 @@ structures of length
 .ta 4n 16n 24n
 .nf
 struct selinux_opt {
-	int	type;
-	const char	*value;
+	int type;
+	union {
+		const char *value;
+		const char **values;
+	};
 };
 .fi
 .ta
diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c
index 89f5d97..dfd9629 100644
--- a/policycoreutils/restorecond/restorecond.c
+++ b/policycoreutils/restorecond/restorecond.c
@@ -140,6 +140,7 @@ int main(int argc, char **argv)
 {
 	int opt;
 	struct sigaction sa;
+	const char *null_array[1] = { NULL };
 
 	memset(&r_opts, 0, sizeof(r_opts));
 
@@ -160,6 +161,7 @@ int main(int argc, char **argv)
 	r_opts.fts_flags = FTS_PHYSICAL;
 	r_opts.selabel_opt_validate = NULL;
 	r_opts.selabel_opt_path = NULL;
+	r_opts.selabel_opt_prefixes = null_array;
 	r_opts.ignore_enoent = 1;
 
 	restore_init(&r_opts);
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
index ab696a7..58b19cd 100644
--- a/policycoreutils/scripts/genhomedircon
+++ b/policycoreutils/scripts/genhomedircon
@@ -1,2 +1,3 @@
 #!/bin/sh
+
 /usr/sbin/semodule -Bn
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9a7d315..d6f9b7c 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -58,11 +58,16 @@ void remove_exclude(const char *directory)
 void restore_init(struct restore_opts *opts)
 {	
 	r_opts = opts;
-	struct selinux_opt selinux_opts[] = {
-		{ SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
-		{ SELABEL_OPT_PATH, r_opts->selabel_opt_path }
-	};
-	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
+	struct selinux_opt selinux_opts[3];
+
+	selinux_opts[0].type = SELABEL_OPT_VALIDATE;
+	selinux_opts[0].value = r_opts->selabel_opt_validate;
+	selinux_opts[1].type = SELABEL_OPT_PATH;
+	selinux_opts[1].value = r_opts->selabel_opt_path;
+	selinux_opts[2].type = SELABEL_OPT_PREFIXES;
+	selinux_opts[2].values = r_opts->selabel_opt_prefixes;
+
+	r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
 	if (!r_opts->hnd) {
 		perror(r_opts->selabel_opt_path);
 		exit(1);
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
index ac27222..4b39972 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -40,6 +40,7 @@ struct restore_opts {
 	int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
 	const char *selabel_opt_validate;
 	const char *selabel_opt_path;
+	const char **selabel_opt_prefixes;
 };
 
 void restore_init(struct restore_opts *opts);
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index c8ea4bb..ab2657f 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts.
 
 .SH "SYNOPSIS"
 .B restorecon
-.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname...
+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] [\-L labelprefix ] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F]
+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-L labelprefix ] [\-R] [\-n] [\-p] [\-v] [\-F]
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -32,6 +32,12 @@ infilename contains a list of files to be processed by application. Use \- for s
 .B \-e directory
 directory to exclude (repeat option for more than one directory.)
 .TP 
+.B \-L labelprefix
+Tells selinux to only use the file context that match this prefix for labeling,  -L can be called multiple times.  Can speed up labeling if you are only doing one directory.
+
+# restorecon -R -v -L /dev /dev
+
+.TP
 .B \-R \-r
 change files and directories file labels recursively
 .TP 
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 7f700ca..93eaa8e 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set file SELinux security contexts.
 
 .SH "SYNOPSIS"
 .B setfiles
-.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
+.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-L labelprefix ] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
 .SH "DESCRIPTION"
 This manual page describes the
 .BR setfiles
@@ -47,6 +47,9 @@ directory to exclude (repeat option for more than one directory.)
 .B \-F
 Force reset of context to match file_context for customizable files
 .TP 
+.B \-L labelprefix
+Tells selinux to only use the file context that match this prefix for labeling,  -L can be called multiple times.  Can speed up labeling if you are only doing one directory.
+.TP
 .B \-o filename
 save list of files with incorrect context in filename.
 .TP 
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index fa0cd6a..0ec0eff 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -39,7 +39,7 @@ void usage(const char *const name)
 {
 	if (iamrestorecon) {
 		fprintf(stderr,
-			"usage:  %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
+			"usage:  %s [-iFnprRv0] [ -L labelprefix ] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
 			name);
 	} else {
 		fprintf(stderr,
@@ -137,7 +137,7 @@ static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs)
 int main(int argc, char **argv)
 {
 	struct stat sb;
-	int opt, i = 0;
+	int opt, i;
 	char *input_filename = NULL;
 	int use_input_file = 0;
 	char *buf = NULL;
@@ -145,6 +145,8 @@ int main(int argc, char **argv)
 	int recurse; /* Recursive descent. */
 	char *base;
 	int mass_relabel = 0, errors = 0;
+	int num_prefixes = 0;
+	const char *null_array[1] = { NULL };
 	
 	memset(&r_opts, 0, sizeof(r_opts));
 
@@ -160,6 +162,7 @@ int main(int argc, char **argv)
 	r_opts.outfile = NULL;
 	r_opts.force = 0;
 	r_opts.hard_links = 1;
+	r_opts.selabel_opt_prefixes = null_array;
 
 	altpath = NULL;
 
@@ -217,7 +220,7 @@ int main(int argc, char **argv)
 	exclude_non_seclabel_mounts();
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FRW0")) > 0) {
+	while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FL:RW0")) > 0) {
 		switch (opt) {
 		case 'c':
 			{
@@ -280,6 +283,35 @@ int main(int argc, char **argv)
 		case 'n':
 			r_opts.change = 0;
 			break;
+		case 'L':
+		{
+			char **new_prefixes;
+
+			/* we need 1 for this entry and 1 for the NULL entry */
+			new_prefixes = malloc(sizeof(*new_prefixes) * (num_prefixes + 2));
+			if (!new_prefixes) {
+				fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
+				optarg, strerror(errno));
+				exit(1);
+			}
+
+			memcpy(new_prefixes, r_opts.selabel_opt_prefixes, sizeof(*new_prefixes) * num_prefixes);
+			new_prefixes[num_prefixes] = strdup(optarg);
+			if (!new_prefixes[num_prefixes]) {
+				fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
+				optarg, strerror(errno));
+				exit(1);
+			}
+
+			new_prefixes[num_prefixes + 1] = NULL;
+			num_prefixes++;
+
+			if (r_opts.selabel_opt_prefixes != null_array)
+				free(r_opts.selabel_opt_prefixes);
+
+			r_opts.selabel_opt_prefixes = (const char **)new_prefixes;
+			break;
+		}
 		case 'o':
 			if (strcmp(optarg, "-") == 0) {
 				r_opts.outfile = stdout;
@@ -433,7 +465,15 @@ int main(int argc, char **argv)
 	if (r_opts.outfile)
 		fclose(r_opts.outfile);
 
-       if (r_opts.progress && r_opts.count >= STAR_COUNT)
-               printf("\n");
+	if (r_opts.progress && r_opts.count >= STAR_COUNT)
+		printf("\n");
+
+	free(r_opts.progname);
+	i = 0;
+	while (r_opts.selabel_opt_prefixes[i])
+		free((void *)r_opts.selabel_opt_prefixes[i++]);
+	if (r_opts.selabel_opt_prefixes != null_array)
+		free(r_opts.selabel_opt_prefixes);
+	free(r_opts.rootpath);
 	exit(errors);
 }
-- 
1.7.10.2





