On Fri, 2016-09-30 at 10:53 -0400, Stephen Smalley wrote:
> On 09/30/2016 10:44 AM, Stephen Smalley wrote:
> >
> > On 09/25/2016 10:49 AM, Richard Haines wrote:
> > >
> > > Add -D option to setfiles and restorecon - Do not set or update
> > > directory SHA1 digests when relabeling files. This will allow
> > > users the option of not using the "security.restorecon_last"
> > > extended attribute feature.
> > >
> > > Also review and update the man pages.
> >
> > I think we need to flip the default here. Rationale:
> > 1) Users often use restorecon to fix labels on files whose labels
> > are
> > wrong even through nothing has changed in file_contexts, e.g. after
> > copying/moving files to a different location. They won't expect
> > restorecon to suddenly stop relabeling by default because the hash
> > of
> > file_contexts hasn't changed.
> >
> > 2) Only processes running with CAP_SYS_ADMIN can set
> > security.restorecon_last, so this will fail for non-root users
> > anyway.
> >
> > Any objection?
None - will you do the patch or shall I (would send sometime over
weekend)
>
> I guess (2) means that (1) won't be a problem for non-root users,
> since
> the attribute won't ever be set. But typical instructions for fixing
> labels on files copied manually to /var/www are restorecon -R
> /var/www,
> and now we'll get this:
> # restorecon -R /var/www
> # restorecon -R /var/www
> Skipping restorecon as matching digest on: /var/www
>
> With no hint to the user on how to force it to happen.
>
> >
> >
> > >
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > > ---
> > > policycoreutils/setfiles/restorecon.8 | 76 ++++++++++++++++--
> > > ---
> > > policycoreutils/setfiles/setfiles.8 | 122
> > > +++++++++++++++++++++++++---------
> > > policycoreutils/setfiles/setfiles.c | 26 +++++---
> > > 3 files changed, 167 insertions(+), 57 deletions(-)
> > >
> > > diff --git a/policycoreutils/setfiles/restorecon.8
> > > b/policycoreutils/setfiles/restorecon.8
> > > index 4851f0f..f996467 100644
> > > --- a/policycoreutils/setfiles/restorecon.8
> > > +++ b/policycoreutils/setfiles/restorecon.8
> > > @@ -4,10 +4,33 @@ restorecon \- restore file(s) default SELinux
> > > security contexts.
> > >
> > > .SH "SYNOPSIS"
> > > .B restorecon
> > > -.I [\-R] [\-m] [\-n] [\-p] [\-v] [\-I] [\-e directory]
> > > pathname...
> > > +.RB [ \-r | \-R ]
> > > +.RB [ \-m ]
> > > +.RB [ \-n ]
> > > +.RB [ \-p ]
> > > +.RB [ \-v ]
> > > +.RB [ \-i ]
> > > +.RB [ \-F ]
> > > +.RB [ \-W ]
> > > +.RB [ \-I | \-D ]
> > > +.RB [ \-e
> > > +.IR directory ]
> > > +.IR pathname \ ...
> > > .P
> > > .B restorecon
> > > -.I \-f infilename [\-e directory] [\-R] [\-m] [\-n] [\-p] [\-v]
> > > [\-F] [\-I]
> > > +.RB [ \-f
> > > +.IR infilename ]
> > > +.RB [ \-e
> > > +.IR directory ]
> > > +.RB [ \-r | \-R ]
> > > +.RB [ \-m ]
> > > +.RB [ \-n ]
> > > +.RB [ \-p ]
> > > +.RB [ \-v ]
> > > +.RB [ \-i ]
> > > +.RB [ \-F ]
> > > +.RB [ \-W ]
> > > +.RB [ \-I | \-D ]
> > >
> > > .SH "DESCRIPTION"
> > > This manual page describes the
> > > @@ -18,14 +41,22 @@ This program is primarily used to set the
> > > security context
> > > (extended attributes) on one or more files.
> > > .P
> > > It can also be run at any other time to correct inconsistent
> > > labels, to add
> > > -support for newly-installed policy or, by using the \-n option,
> > > to passively
> > > +support for newly-installed policy or, by using the
> > > +.B \-n
> > > +option, to passively
> > > check whether the file contexts are all set as specified by the
> > > active policy
> > > (default behavior).
> > > .P
> > > -If a file object does not have a context, restorecon will write
> > > the default
> > > +If a file object does not have a context,
> > > +.B restorecon
> > > +will write the default
> > > context to the file object's extended attributes. If a file
> > > object has a
> > > -context, restorecon will only modify the type portion of the
> > > security context.
> > > -The \-F option will force a replacement of the entire context.
> > > +context,
> > > +.B restorecon
> > > +will only modify the type portion of the security context.
> > > +The
> > > +.B \-F
> > > +option will force a replacement of the entire context.
> > > .P
> > > It is the same executable as
> > > .BR setfiles
> > > @@ -33,11 +64,15 @@ but operates in a slightly different manner
> > > depending on its argv[0].
> > >
> > > .SH "OPTIONS"
> > > .TP
> > > -.B \-e directory
> > > +.BI \-e \ directory
> > > exclude a directory (repeat the option to exclude more than one
> > > directory, Requires full path).
> > > .TP
> > > -.B \-f infilename
> > > -infilename contains a list of files to be processed. Use \- for
> > > stdin.
> > > +.BI \-f \ infilename
> > > +.I infilename
> > > +contains a list of files to be processed. Use
> > > +.RB \*(lq \- \*(rq
> > > +for
> > > +.BR stdin .
> > > .TP
> > > .B \-F
> > > Force reset of context to match file_context for customizable
> > > files, and the
> > > @@ -56,6 +91,14 @@ there are no errors. See the
> > > .B NOTES
> > > section for further details.
> > > .TP
> > > +.B \-D
> > > +do not set or update any directory SHA1 digests. Use this option
> > > to
> > > +effectively disable usage of the
> > > +.IR security.restorecon_last
> > > +extended attribute. Note that using this option will override
> > > the
> > > +.B \-I
> > > +option.
> > > +.TP
> > > .B \-m
> > > do not read
> > > .B /proc/mounts
> > > @@ -64,9 +107,10 @@ Setting this option is useful where there is
> > > a non-seclabel fs mounted with a
> > > seclabel fs mounted on a directory below this.
> > > .TP
> > > .B \-n
> > > -don't change any file labels (passive check). To display the
> > > files whose labels would be changed, add \-v.
> > > +don't change any file labels (passive check). To display the
> > > files whose labels would be changed, add
> > > +.BR \-v .
> > > .TP
> > > -.B \-o outfilename
> > > +.BI \-o \ outfilename
> > > Deprecated, SELinux policy will probably block this access. Use
> > > shell redirection to save list of files with incorrect context in
> > > filename.
> > > .TP
> > > .B \-p
> > > @@ -106,7 +150,7 @@ option of GNU
> > > produces input suitable for this mode.
> > > .TP
> > > .SH "ARGUMENTS"
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > The pathname for the file(s) to be relabeled.
> > > .SH "NOTES"
> > > .IP "1." 4
> > > @@ -115,7 +159,7 @@ does not follow symbolic links and by default
> > > it does not
> > > operate recursively on directories.
> > > .IP "2." 4
> > > If the
> > > -.B pathname
> > > +.I pathname
> > > specifies the root directory and the
> > > .B \-vR
> > > or
> > > @@ -135,12 +179,12 @@ will write an SHA1 digest of the default
> > > specfiles set to an extended
> > > attribute named
> > > .IR security.restorecon_last
> > > to the directory specified in each
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > once the relabeling has been completed successfully. This digest
> > > will be
> > > checked should
> > > .B restorecon
> > > be rerun with the same
> > > -.B pathname
> > > +.I pathname
> > > parameters. See
> > > .BR selinux_restorecon (3)
> > > for further details.
> > > @@ -148,7 +192,7 @@ for further details.
> > > The
> > > .B \-I
> > > option will ignore the SHA1 digest from each directory specified
> > > in
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > and provided the
> > > .B \-n
> > > option is NOT set and recursive mode is set, files will be
> > > relabeled as
> > > diff --git a/policycoreutils/setfiles/setfiles.8
> > > b/policycoreutils/setfiles/setfiles.8
> > > index 35e38b2..11bc335 100644
> > > --- a/policycoreutils/setfiles/setfiles.8
> > > +++ b/policycoreutils/setfiles/setfiles.8
> > > @@ -4,7 +4,23 @@ setfiles \- set SELinux file security contexts.
> > >
> > > .SH "SYNOPSIS"
> > > .B setfiles
> > > -.I [\-c policy] [\-d] [\-l] [\-m] [\-n] [\-e directory] [\-o
> > > filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] [\-I] spec_file
> > > pathname...
> > > +.RB [ \-c
> > > +.IR policy ]
> > > +.RB [ \-d ]
> > > +.RB [ \-l ]
> > > +.RB [ \-m ]
> > > +.RB [ \-n ]
> > > +.RB [ \-e
> > > +.IR directory ]
> > > +.RB [ \-p ]
> > > +.RB [ \-s ]
> > > +.RB [ \-v ]
> > > +.RB [ \-W ]
> > > +.RB [ \-F ]
> > > +.RB [ \-I | \-D ]
> > > +.I spec_file
> > > +.IR pathname \ ...
> > > +
> > > .SH "DESCRIPTION"
> > > This manual page describes the
> > > .BR setfiles
> > > @@ -16,14 +32,24 @@ them). Usually it is initially run as part
> > > of the SELinux installation
> > > process (a step commonly known as labeling).
> > > .P
> > > It can also be run at any other time to correct inconsistent
> > > labels, to add
> > > -support for newly-installed policy or, by using the \-n option,
> > > to passively
> > > +support for newly-installed policy or, by using the
> > > +.B \-n
> > > +option, to passively
> > > check whether the file contexts are all set as specified by the
> > > active policy
> > > -(default behavior) or by some other policy (see the \-c option).
> > > +(default behavior) or by some other policy (see the
> > > +.B \-c
> > > +option).
> > > .P
> > > -If a file object does not have a context, setfiles will write
> > > the default
> > > +If a file object does not have a context,
> > > +.B setfiles
> > > +will write the default
> > > context to the file object's extended attributes. If a file
> > > object has a
> > > -context, setfiles will only modify the type portion of the
> > > security context.
> > > -The \-F option will force a replacement of the entire context.
> > > +context,
> > > +.B setfiles
> > > +will only modify the type portion of the security context.
> > > +The
> > > +.B \-F
> > > +option will force a replacement of the entire context.
> > > .SH "OPTIONS"
> > > .TP
> > > .B \-c
> > > @@ -33,11 +59,15 @@ check the validity of the contexts against
> > > the specified binary policy.
> > > show what specification matched each file (do not abort
> > > validation
> > > after ABORT_ON_ERRORS errors).
> > > .TP
> > > -.B \-e directory
> > > +.BI \-e \ directory
> > > directory to exclude (repeat option for more than one
> > > directory).
> > > .TP
> > > -.B \-f
> > > -take a list of files to be processed from an input file.
> > > +.BI \-f \ infilename
> > > +.I infilename
> > > +contains a list of files to be processed. Use
> > > +.RB \*(lq \- \*(rq
> > > +for
> > > +.BR stdin .
> > > .TP
> > > .B \-F
> > > Force reset of context to match file_context for customizable
> > > files, and the
> > > @@ -57,6 +87,14 @@ there are no errors. See the
> > > .B NOTES
> > > section for further details.
> > > .TP
> > > +.B \-D
> > > +do not set or update any directory SHA1 digests. Use this option
> > > to
> > > +effectively disable usage of the
> > > +.IR security.restorecon_last
> > > +extended attribute. Note that using this option will override
> > > the
> > > +.B \-I
> > > +option.
> > > +.TP
> > > .B \-l
> > > log changes in file labels to syslog.
> > > .TP
> > > @@ -70,7 +108,7 @@ seclabel fs mounted on a directory below this.
> > > .B \-n
> > > don't change any file labels (passive check).
> > > .TP
> > > -.B \-o filename
> > > +.BI \-o \ filename
> > > Deprecated, SELinux policy will probably block this access. Use
> > > shell redirection to save list of files with incorrect context in
> > > filename.
> > > .TP
> > > .B \-p
> > > @@ -84,15 +122,18 @@ options are mutually exclusive.
> > > .B \-q
> > > Deprecated, was only used to stop printing inode association
> > > parameters.
> > > .TP
> > > -.B \-r rootpath
> > > +.BI \-r \ rootpath
> > > use an alternate root path. Used in meta-selinux for
> > > OpenEmbedded/Yocto builds
> > > to label files under
> > > -.B rootpath
> > > -as if they were at /
> > > +.I rootpath
> > > +as if they were at
> > > +.B /
> > > .TP
> > > .B \-s
> > > take a list of files from standard input instead of using a
> > > pathname from the
> > > -command line (equivalent to \-f \-).
> > > +command line (equivalent to
> > > +.RB \*(lq "\-f \-" \*(rq
> > > +).
> > > .TP
> > > .B \-v
> > > show changes in file labels and output any inode association
> > > parameters.
> > > @@ -120,26 +161,43 @@ option of GNU
> > > produces input suitable for this mode.
> > >
> > > .SH "ARGUMENTS"
> > > -.B spec_file
> > > -The specification file which contains lines of the following
> > > form
> > > -.br
> > > -.B regexp [ \-type ] ( context | <<none>> )
> > > -.br
> > > -The regular expression is anchored at both ends. The optional
> > > type field
> > > -specifies the file type as shown in the mode field by the
> > > -.B ls(1)
> > > -program, e.g. \-\- to match only regular files or \-d to match
> > > only
> > > -directories. The context can be an ordinary security context or
> > > the
> > > -string <<none>> to specify that the file is not to have its
> > > context
> > > +.TP
> > > +.I spec_file
> > > +The specification file which contains lines of the following
> > > form:
> > > +.sp
> > > +.RS
> > > +.I regexp
> > > +.RI [ type ]
> > > +.IR context \ |
> > > +.B <<none>>
> > > +.RS
> > > +The regular expression is anchored at both ends. The optional
> > > +.I type
> > > +field specifies the file type as shown in the mode field by the
> > > +.BR ls (1)
> > > +program, e.g.
> > > +.B \-\-
> > > +to match only regular files or
> > > +.B \-d
> > > +to match only
> > > +directories. The
> > > +.I context
> > > +can be an ordinary security context or the
> > > +string
> > > +.B <<none>>
> > > +to specify that the file is not to have its context
> > > changed.
> > > .br
> > > The last matching specification is used. If there are multiple
> > > hard
> > > links to a file that match different specifications and those
> > > specifications indicate different security contexts, then a
> > > warning is
> > > displayed but the file is still labeled based on the last
> > > matching
> > > -specification other than <<none>>.
> > > +specification other than
> > > +.BR <<none>> \|.
> > > +.RE
> > > +.RE
> > > .TP
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > The pathname for the root directory of each file system to be
> > > relabeled
> > > or a specific directory within a filesystem that should be
> > > recursively
> > > descended and relabeled or the pathname of a file that should be
> > > @@ -156,7 +214,7 @@ option is used.
> > > follows symbolic links and operates recursively on directories.
> > > .IP "2." 4
> > > If the
> > > -.B pathname
> > > +.I pathname
> > > specifies the root directory and the
> > > .B \-v
> > > option is set and the audit system is running, then an audit
> > > event is
> > > @@ -171,15 +229,15 @@ will write an SHA1 digest of the
> > > set to an extended attribute named
> > > .IR security.restorecon_last
> > > to the directory specified in each
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > once the relabeling has been completed successfully. This digest
> > > will be
> > > checked should
> > > .B setfiles
> > > be rerun
> > > with the same
> > > -.B spec_file
> > > +.I spec_file
> > > and
> > > -.B pathname
> > > +.I pathname
> > > parameters. See
> > > .BR selinux_restorecon (3)
> > > for further details.
> > > @@ -187,7 +245,7 @@ for further details.
> > > The
> > > .B \-I
> > > option will ignore the SHA1 digest from each directory specified
> > > in
> > > -.B pathname...
> > > +.IR pathname \ ...
> > > and provided the
> > > .B \-n
> > > option is NOT set, files will be relabeled as required with the
> > > digest then
> > > diff --git a/policycoreutils/setfiles/setfiles.c
> > > b/policycoreutils/setfiles/setfiles.c
> > > index b700228..520866e 100644
> > > --- a/policycoreutils/setfiles/setfiles.c
> > > +++ b/policycoreutils/setfiles/setfiles.c
> > > @@ -17,6 +17,7 @@
> > > static char *policyfile;
> > > static int warn_no_match;
> > > static int null_terminated;
> > > +static int request_digest;
> > > static struct restore_opts r_opts;
> > > static int nerr;
> > >
> > > @@ -42,14 +43,14 @@ void usage(const char *const name)
> > > {
> > > if (iamrestorecon) {
> > > fprintf(stderr,
> > > - "usage: %s [-iIFmnprRv0] [-e
> > > excludedir] pathname...\n"
> > > - "usage: %s [-iIFmnprRv0] [-e
> > > excludedir] -f filename\n",
> > > + "usage: %s [-iIDFmnprRv0] [-e
> > > excludedir] pathname...\n"
> > > + "usage: %s [-iIDFmnprRv0] [-e
> > > excludedir] -f filename\n",
> > > name, name);
> > > } else {
> > > fprintf(stderr,
> > > - "usage: %s [-diIlmnpqvFW] [-e
> > > excludedir] [-r alt_root_path] spec_file pathname...\n"
> > > - "usage: %s [-diIlmnpqvFW] [-e
> > > excludedir] [-r alt_root_path] spec_file -f filename\n"
> > > - "usage: %s -s [-diIlmnpqvFW]
> > > spec_file\n"
> > > + "usage: %s [-diIDlmnpqvFW] [-e
> > > excludedir] [-r alt_root_path] spec_file pathname...\n"
> > > + "usage: %s [-diIDlmnpqvFW] [-e
> > > excludedir] [-r alt_root_path] spec_file -f filename\n"
> > > + "usage: %s -s [-diIDlmnpqvFW]
> > > spec_file\n"
> > > "usage: %s -c policyfile spec_file\n",
> > > name, name, name, name);
> > > }
> > > @@ -147,8 +148,8 @@ int main(int argc, char **argv)
> > > size_t buf_len;
> > > const char *base;
> > > int mass_relabel = 0, errors = 0;
> > > - const char *ropts = "e:f:hiIlmno:pqrsvFRW0";
> > > - const char *sopts = "c:de:f:hiIlmno:pqr:svFR:W0";
> > > + const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
> > > + const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
> > > const char *opts;
> > >
> > > /* Initialize variables */
> > > @@ -156,6 +157,7 @@ int main(int argc, char **argv)
> > > altpath = NULL;
> > > null_terminated = 0;
> > > warn_no_match = 0;
> > > + request_digest = 1;
> > > policyfile = NULL;
> > > nerr = 0;
> > >
> > > @@ -278,6 +280,12 @@ int main(int argc, char **argv)
> > > r_opts.ignore_digest =
> > > SELINUX_RESTORECON_IG
> > > NORE_DIGEST;
> > > break;
> > > + case 'D': /*
> > > + * Don't request file_contexts digest
> > > in selabel_open
> > > + * This will effectively disable usage
> > > of the
> > > + * security.restorecon_last extended
> > > attribute.
> > > + */
> > > + request_digest = 0;
> > > case 'l':
> > > r_opts.syslog_changes =
> > > SELINUX_RESTORECON_SY
> > > SLOG_CHANGES;
> > > @@ -409,9 +417,9 @@ int main(int argc, char **argv)
> > > } else if (argc == 1)
> > > usage(argv[0]);
> > >
> > > - /* Set selabel_open options. Always request a digest. */
> > > + /* Set selabel_open options. */
> > > r_opts.selabel_opt_validate = (ctx_validate ? (char *)1
> > > : NULL);
> > > - r_opts.selabel_opt_digest = (char *)1;
> > > + r_opts.selabel_opt_digest = (request_digest ? (char *)1
> > > : NULL);
> > > r_opts.selabel_opt_path = altpath;
> > >
> > > if (nerr)
> > >
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@xxxxxxxxxxxxx
> > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > To get help, send an email containing "help" to Selinux-request@tyc
> > ho.nsa.gov.
> >
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
