On 09/25/2016 10:49 AM, Richard Haines wrote:
> Add -D option to setfiles and restorecon - Do not set or update
> directory SHA1 digests when relabeling files. This will allow
> users the option of not using the "security.restorecon_last"
> extended attribute feature.
>
> Also review and update the man pages.
I think we need to flip the default here. Rationale:
1) Users often use restorecon to fix labels on files whose labels are
wrong even through nothing has changed in file_contexts, e.g. after
copying/moving files to a different location. They won't expect
restorecon to suddenly stop relabeling by default because the hash of
file_contexts hasn't changed.
2) Only processes running with CAP_SYS_ADMIN can set
security.restorecon_last, so this will fail for non-root users anyway.
Any objection?
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> policycoreutils/setfiles/restorecon.8 | 76 ++++++++++++++++-----
> policycoreutils/setfiles/setfiles.8 | 122 +++++++++++++++++++++++++---------
> policycoreutils/setfiles/setfiles.c | 26 +++++---
> 3 files changed, 167 insertions(+), 57 deletions(-)
>
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index 4851f0f..f996467 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -4,10 +4,33 @@ restorecon \- restore file(s) default SELinux security contexts.
>
> .SH "SYNOPSIS"
> .B restorecon
> -.I [\-R] [\-m] [\-n] [\-p] [\-v] [\-I] [\-e directory] pathname...
> +.RB [ \-r | \-R ]
> +.RB [ \-m ]
> +.RB [ \-n ]
> +.RB [ \-p ]
> +.RB [ \-v ]
> +.RB [ \-i ]
> +.RB [ \-F ]
> +.RB [ \-W ]
> +.RB [ \-I | \-D ]
> +.RB [ \-e
> +.IR directory ]
> +.IR pathname \ ...
> .P
> .B restorecon
> -.I \-f infilename [\-e directory] [\-R] [\-m] [\-n] [\-p] [\-v] [\-F] [\-I]
> +.RB [ \-f
> +.IR infilename ]
> +.RB [ \-e
> +.IR directory ]
> +.RB [ \-r | \-R ]
> +.RB [ \-m ]
> +.RB [ \-n ]
> +.RB [ \-p ]
> +.RB [ \-v ]
> +.RB [ \-i ]
> +.RB [ \-F ]
> +.RB [ \-W ]
> +.RB [ \-I | \-D ]
>
> .SH "DESCRIPTION"
> This manual page describes the
> @@ -18,14 +41,22 @@ This program is primarily used to set the security context
> (extended attributes) on one or more files.
> .P
> It can also be run at any other time to correct inconsistent labels, to add
> -support for newly-installed policy or, by using the \-n option, to passively
> +support for newly-installed policy or, by using the
> +.B \-n
> +option, to passively
> check whether the file contexts are all set as specified by the active policy
> (default behavior).
> .P
> -If a file object does not have a context, restorecon will write the default
> +If a file object does not have a context,
> +.B restorecon
> +will write the default
> context to the file object's extended attributes. If a file object has a
> -context, restorecon will only modify the type portion of the security context.
> -The \-F option will force a replacement of the entire context.
> +context,
> +.B restorecon
> +will only modify the type portion of the security context.
> +The
> +.B \-F
> +option will force a replacement of the entire context.
> .P
> It is the same executable as
> .BR setfiles
> @@ -33,11 +64,15 @@ but operates in a slightly different manner depending on its argv[0].
>
> .SH "OPTIONS"
> .TP
> -.B \-e directory
> +.BI \-e \ directory
> exclude a directory (repeat the option to exclude more than one directory, Requires full path).
> .TP
> -.B \-f infilename
> -infilename contains a list of files to be processed. Use \- for stdin.
> +.BI \-f \ infilename
> +.I infilename
> +contains a list of files to be processed. Use
> +.RB \*(lq \- \*(rq
> +for
> +.BR stdin .
> .TP
> .B \-F
> Force reset of context to match file_context for customizable files, and the
> @@ -56,6 +91,14 @@ there are no errors. See the
> .B NOTES
> section for further details.
> .TP
> +.B \-D
> +do not set or update any directory SHA1 digests. Use this option to
> +effectively disable usage of the
> +.IR security.restorecon_last
> +extended attribute. Note that using this option will override the
> +.B \-I
> +option.
> +.TP
> .B \-m
> do not read
> .B /proc/mounts
> @@ -64,9 +107,10 @@ Setting this option is useful where there is a non-seclabel fs mounted with a
> seclabel fs mounted on a directory below this.
> .TP
> .B \-n
> -don't change any file labels (passive check). To display the files whose labels would be changed, add \-v.
> +don't change any file labels (passive check). To display the files whose labels would be changed, add
> +.BR \-v .
> .TP
> -.B \-o outfilename
> +.BI \-o \ outfilename
> Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
> .TP
> .B \-p
> @@ -106,7 +150,7 @@ option of GNU
> produces input suitable for this mode.
> .TP
> .SH "ARGUMENTS"
> -.B pathname...
> +.IR pathname \ ...
> The pathname for the file(s) to be relabeled.
> .SH "NOTES"
> .IP "1." 4
> @@ -115,7 +159,7 @@ does not follow symbolic links and by default it does not
> operate recursively on directories.
> .IP "2." 4
> If the
> -.B pathname
> +.I pathname
> specifies the root directory and the
> .B \-vR
> or
> @@ -135,12 +179,12 @@ will write an SHA1 digest of the default specfiles set to an extended
> attribute named
> .IR security.restorecon_last
> to the directory specified in each
> -.B pathname...
> +.IR pathname \ ...
> once the relabeling has been completed successfully. This digest will be
> checked should
> .B restorecon
> be rerun with the same
> -.B pathname
> +.I pathname
> parameters. See
> .BR selinux_restorecon (3)
> for further details.
> @@ -148,7 +192,7 @@ for further details.
> The
> .B \-I
> option will ignore the SHA1 digest from each directory specified in
> -.B pathname...
> +.IR pathname \ ...
> and provided the
> .B \-n
> option is NOT set and recursive mode is set, files will be relabeled as
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index 35e38b2..11bc335 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -4,7 +4,23 @@ setfiles \- set SELinux file security contexts.
>
> .SH "SYNOPSIS"
> .B setfiles
> -.I [\-c policy] [\-d] [\-l] [\-m] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] [\-I] spec_file pathname...
> +.RB [ \-c
> +.IR policy ]
> +.RB [ \-d ]
> +.RB [ \-l ]
> +.RB [ \-m ]
> +.RB [ \-n ]
> +.RB [ \-e
> +.IR directory ]
> +.RB [ \-p ]
> +.RB [ \-s ]
> +.RB [ \-v ]
> +.RB [ \-W ]
> +.RB [ \-F ]
> +.RB [ \-I | \-D ]
> +.I spec_file
> +.IR pathname \ ...
> +
> .SH "DESCRIPTION"
> This manual page describes the
> .BR setfiles
> @@ -16,14 +32,24 @@ them). Usually it is initially run as part of the SELinux installation
> process (a step commonly known as labeling).
> .P
> It can also be run at any other time to correct inconsistent labels, to add
> -support for newly-installed policy or, by using the \-n option, to passively
> +support for newly-installed policy or, by using the
> +.B \-n
> +option, to passively
> check whether the file contexts are all set as specified by the active policy
> -(default behavior) or by some other policy (see the \-c option).
> +(default behavior) or by some other policy (see the
> +.B \-c
> +option).
> .P
> -If a file object does not have a context, setfiles will write the default
> +If a file object does not have a context,
> +.B setfiles
> +will write the default
> context to the file object's extended attributes. If a file object has a
> -context, setfiles will only modify the type portion of the security context.
> -The \-F option will force a replacement of the entire context.
> +context,
> +.B setfiles
> +will only modify the type portion of the security context.
> +The
> +.B \-F
> +option will force a replacement of the entire context.
> .SH "OPTIONS"
> .TP
> .B \-c
> @@ -33,11 +59,15 @@ check the validity of the contexts against the specified binary policy.
> show what specification matched each file (do not abort validation
> after ABORT_ON_ERRORS errors).
> .TP
> -.B \-e directory
> +.BI \-e \ directory
> directory to exclude (repeat option for more than one directory).
> .TP
> -.B \-f
> -take a list of files to be processed from an input file.
> +.BI \-f \ infilename
> +.I infilename
> +contains a list of files to be processed. Use
> +.RB \*(lq \- \*(rq
> +for
> +.BR stdin .
> .TP
> .B \-F
> Force reset of context to match file_context for customizable files, and the
> @@ -57,6 +87,14 @@ there are no errors. See the
> .B NOTES
> section for further details.
> .TP
> +.B \-D
> +do not set or update any directory SHA1 digests. Use this option to
> +effectively disable usage of the
> +.IR security.restorecon_last
> +extended attribute. Note that using this option will override the
> +.B \-I
> +option.
> +.TP
> .B \-l
> log changes in file labels to syslog.
> .TP
> @@ -70,7 +108,7 @@ seclabel fs mounted on a directory below this.
> .B \-n
> don't change any file labels (passive check).
> .TP
> -.B \-o filename
> +.BI \-o \ filename
> Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
> .TP
> .B \-p
> @@ -84,15 +122,18 @@ options are mutually exclusive.
> .B \-q
> Deprecated, was only used to stop printing inode association parameters.
> .TP
> -.B \-r rootpath
> +.BI \-r \ rootpath
> use an alternate root path. Used in meta-selinux for OpenEmbedded/Yocto builds
> to label files under
> -.B rootpath
> -as if they were at /
> +.I rootpath
> +as if they were at
> +.B /
> .TP
> .B \-s
> take a list of files from standard input instead of using a pathname from the
> -command line (equivalent to \-f \-).
> +command line (equivalent to
> +.RB \*(lq "\-f \-" \*(rq
> +).
> .TP
> .B \-v
> show changes in file labels and output any inode association parameters.
> @@ -120,26 +161,43 @@ option of GNU
> produces input suitable for this mode.
>
> .SH "ARGUMENTS"
> -.B spec_file
> -The specification file which contains lines of the following form
> -.br
> -.B regexp [ \-type ] ( context | <<none>> )
> -.br
> -The regular expression is anchored at both ends. The optional type field
> -specifies the file type as shown in the mode field by the
> -.B ls(1)
> -program, e.g. \-\- to match only regular files or \-d to match only
> -directories. The context can be an ordinary security context or the
> -string <<none>> to specify that the file is not to have its context
> +.TP
> +.I spec_file
> +The specification file which contains lines of the following form:
> +.sp
> +.RS
> +.I regexp
> +.RI [ type ]
> +.IR context \ |
> +.B <<none>>
> +.RS
> +The regular expression is anchored at both ends. The optional
> +.I type
> +field specifies the file type as shown in the mode field by the
> +.BR ls (1)
> +program, e.g.
> +.B \-\-
> +to match only regular files or
> +.B \-d
> +to match only
> +directories. The
> +.I context
> +can be an ordinary security context or the
> +string
> +.B <<none>>
> +to specify that the file is not to have its context
> changed.
> .br
> The last matching specification is used. If there are multiple hard
> links to a file that match different specifications and those
> specifications indicate different security contexts, then a warning is
> displayed but the file is still labeled based on the last matching
> -specification other than <<none>>.
> +specification other than
> +.BR <<none>> \|.
> +.RE
> +.RE
> .TP
> -.B pathname...
> +.IR pathname \ ...
> The pathname for the root directory of each file system to be relabeled
> or a specific directory within a filesystem that should be recursively
> descended and relabeled or the pathname of a file that should be
> @@ -156,7 +214,7 @@ option is used.
> follows symbolic links and operates recursively on directories.
> .IP "2." 4
> If the
> -.B pathname
> +.I pathname
> specifies the root directory and the
> .B \-v
> option is set and the audit system is running, then an audit event is
> @@ -171,15 +229,15 @@ will write an SHA1 digest of the
> set to an extended attribute named
> .IR security.restorecon_last
> to the directory specified in each
> -.B pathname...
> +.IR pathname \ ...
> once the relabeling has been completed successfully. This digest will be
> checked should
> .B setfiles
> be rerun
> with the same
> -.B spec_file
> +.I spec_file
> and
> -.B pathname
> +.I pathname
> parameters. See
> .BR selinux_restorecon (3)
> for further details.
> @@ -187,7 +245,7 @@ for further details.
> The
> .B \-I
> option will ignore the SHA1 digest from each directory specified in
> -.B pathname...
> +.IR pathname \ ...
> and provided the
> .B \-n
> option is NOT set, files will be relabeled as required with the digest then
> diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
> index b700228..520866e 100644
> --- a/policycoreutils/setfiles/setfiles.c
> +++ b/policycoreutils/setfiles/setfiles.c
> @@ -17,6 +17,7 @@
> static char *policyfile;
> static int warn_no_match;
> static int null_terminated;
> +static int request_digest;
> static struct restore_opts r_opts;
> static int nerr;
>
> @@ -42,14 +43,14 @@ void usage(const char *const name)
> {
> if (iamrestorecon) {
> fprintf(stderr,
> - "usage: %s [-iIFmnprRv0] [-e excludedir] pathname...\n"
> - "usage: %s [-iIFmnprRv0] [-e excludedir] -f filename\n",
> + "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
> + "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
> name, name);
> } else {
> fprintf(stderr,
> - "usage: %s [-diIlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
> - "usage: %s [-diIlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
> - "usage: %s -s [-diIlmnpqvFW] spec_file\n"
> + "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
> + "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
> + "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
> "usage: %s -c policyfile spec_file\n",
> name, name, name, name);
> }
> @@ -147,8 +148,8 @@ int main(int argc, char **argv)
> size_t buf_len;
> const char *base;
> int mass_relabel = 0, errors = 0;
> - const char *ropts = "e:f:hiIlmno:pqrsvFRW0";
> - const char *sopts = "c:de:f:hiIlmno:pqr:svFR:W0";
> + const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
> + const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
> const char *opts;
>
> /* Initialize variables */
> @@ -156,6 +157,7 @@ int main(int argc, char **argv)
> altpath = NULL;
> null_terminated = 0;
> warn_no_match = 0;
> + request_digest = 1;
> policyfile = NULL;
> nerr = 0;
>
> @@ -278,6 +280,12 @@ int main(int argc, char **argv)
> r_opts.ignore_digest =
> SELINUX_RESTORECON_IGNORE_DIGEST;
> break;
> + case 'D': /*
> + * Don't request file_contexts digest in selabel_open
> + * This will effectively disable usage of the
> + * security.restorecon_last extended attribute.
> + */
> + request_digest = 0;
> case 'l':
> r_opts.syslog_changes =
> SELINUX_RESTORECON_SYSLOG_CHANGES;
> @@ -409,9 +417,9 @@ int main(int argc, char **argv)
> } else if (argc == 1)
> usage(argv[0]);
>
> - /* Set selabel_open options. Always request a digest. */
> + /* Set selabel_open options. */
> r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL);
> - r_opts.selabel_opt_digest = (char *)1;
> + r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
> r_opts.selabel_opt_path = altpath;
>
> if (nerr)
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
