-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch might be somewhat controversial, basically makes *setfilecon
commands not fail if the caller tries to set the file context on a file system
that does not support XATTRs, and the file context it is trying to set matches
the current file context.
setfilecon("/mnt/nfshare/dwalsh", "system_u:object_r:nfs_t:s0")
Would not fail for example.
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJpJfoACgkQrlYvE4MpobO99QCcDi2w/WdXxj7E7xj9gq8am85x
4j8AoNQZm75o1mV5WtbzvE3Zamxw5I24
=Spvh
-----END PGP SIGNATURE-----
>From 483fa006096fd7a953512342a5c4327986aa98c3 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 9 Oct 2013 15:15:35 -0400
Subject: [PATCH 11/74] Patch to change *setfilecon to not return ENOSUP if
context matches.
Tools like cp -A try to maintain the context of a program and call *setfilecon,
currently if the file system does not support XAttrs we return ENOSUPP. We have
been requested to check if the context that is being set is the same to not return this
error. So if I try to set the label on an nfs share to system_u:object_r:nfs_t:s0 and I get
ENOSUPP, it will not return an error.
---
libselinux/src/fsetfilecon.c | 14 +++++++++++++-
libselinux/src/lsetfilecon.c | 14 +++++++++++++-
libselinux/src/setfilecon.c | 14 +++++++++++++-
3 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 309105c..0e9278e 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -9,8 +9,20 @@
int fsetfilecon_raw(int fd, const security_context_t context)
{
- return fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+ int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
+ if ((fgetfilecon_raw(fd, &ccontext) >= 0) &&
+ (strcmp(context,ccontext) == 0)) {
+ rc = 0;
+ } else {
+ errno = err;
+ }
+ freecon(ccontext);
+ }
+ return rc;
}
hidden_def(fsetfilecon_raw)
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 461e3f7..ab85155 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -9,8 +9,20 @@
int lsetfilecon_raw(const char *path, const security_context_t context)
{
- return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+ int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
+ if ((lgetfilecon_raw(path, &ccontext) >= 0) &&
+ (strcmp(context,ccontext) == 0)) {
+ rc = 0;
+ } else {
+ errno = err;
+ }
+ freecon(ccontext);
+ }
+ return rc;
}
hidden_def(lsetfilecon_raw)
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index 7465c6a..9aaaa4b 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -9,8 +9,20 @@
int setfilecon_raw(const char *path, const security_context_t context)
{
- return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+ int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
+ if ((getfilecon_raw(path, &ccontext) >= 0) &&
+ (strcmp(context,ccontext) == 0)) {
+ rc = 0;
+ } else {
+ errno = err;
+ }
+ freecon(ccontext);
+ }
+ return rc;
}
hidden_def(setfilecon_raw)
--
1.8.3.1
