On 09/30/2016 11:00 AM, Richard Haines wrote:
> On Fri, 2016-09-30 at 10:53 -0400, Stephen Smalley wrote:
>> On 09/30/2016 10:44 AM, Stephen Smalley wrote:
>>>
>>> On 09/25/2016 10:49 AM, Richard Haines wrote:
>>>>
>>>> Add -D option to setfiles and restorecon - Do not set or update
>>>> directory SHA1 digests when relabeling files. This will allow
>>>> users the option of not using the "security.restorecon_last"
>>>> extended attribute feature.
>>>>
>>>> Also review and update the man pages.
>>>
>>> I think we need to flip the default here. Rationale:
>>> 1) Users often use restorecon to fix labels on files whose labels
>>> are
>>> wrong even through nothing has changed in file_contexts, e.g. after
>>> copying/moving files to a different location. They won't expect
>>> restorecon to suddenly stop relabeling by default because the hash
>>> of
>>> file_contexts hasn't changed.
>>>
>>> 2) Only processes running with CAP_SYS_ADMIN can set
>>> security.restorecon_last, so this will fail for non-root users
>>> anyway.
>>>
>>> Any objection?
>
> None - will you do the patch or shall I (would send sometime over
> weekend)
I'll do it.
>>
>> I guess (2) means that (1) won't be a problem for non-root users,
>> since
>> the attribute won't ever be set. But typical instructions for fixing
>> labels on files copied manually to /var/www are restorecon -R
>> /var/www,
>> and now we'll get this:
>> # restorecon -R /var/www
>> # restorecon -R /var/www
>> Skipping restorecon as matching digest on: /var/www
>>
>> With no hint to the user on how to force it to happen.
>>
>>>
>>>
>>>>
>>>>
>>>> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
>>>> ---
>>>> policycoreutils/setfiles/restorecon.8 | 76 ++++++++++++++++--
>>>> ---
>>>> policycoreutils/setfiles/setfiles.8 | 122
>>>> +++++++++++++++++++++++++---------
>>>> policycoreutils/setfiles/setfiles.c | 26 +++++---
>>>> 3 files changed, 167 insertions(+), 57 deletions(-)
>>>>
>>>> diff --git a/policycoreutils/setfiles/restorecon.8
>>>> b/policycoreutils/setfiles/restorecon.8
>>>> index 4851f0f..f996467 100644
>>>> --- a/policycoreutils/setfiles/restorecon.8
>>>> +++ b/policycoreutils/setfiles/restorecon.8
>>>> @@ -4,10 +4,33 @@ restorecon \- restore file(s) default SELinux
>>>> security contexts.
>>>>
>>>> .SH "SYNOPSIS"
>>>> .B restorecon
>>>> -.I [\-R] [\-m] [\-n] [\-p] [\-v] [\-I] [\-e directory]
>>>> pathname...
>>>> +.RB [ \-r | \-R ]
>>>> +.RB [ \-m ]
>>>> +.RB [ \-n ]
>>>> +.RB [ \-p ]
>>>> +.RB [ \-v ]
>>>> +.RB [ \-i ]
>>>> +.RB [ \-F ]
>>>> +.RB [ \-W ]
>>>> +.RB [ \-I | \-D ]
>>>> +.RB [ \-e
>>>> +.IR directory ]
>>>> +.IR pathname \ ...
>>>> .P
>>>> .B restorecon
>>>> -.I \-f infilename [\-e directory] [\-R] [\-m] [\-n] [\-p] [\-v]
>>>> [\-F] [\-I]
>>>> +.RB [ \-f
>>>> +.IR infilename ]
>>>> +.RB [ \-e
>>>> +.IR directory ]
>>>> +.RB [ \-r | \-R ]
>>>> +.RB [ \-m ]
>>>> +.RB [ \-n ]
>>>> +.RB [ \-p ]
>>>> +.RB [ \-v ]
>>>> +.RB [ \-i ]
>>>> +.RB [ \-F ]
>>>> +.RB [ \-W ]
>>>> +.RB [ \-I | \-D ]
>>>>
>>>> .SH "DESCRIPTION"
>>>> This manual page describes the
>>>> @@ -18,14 +41,22 @@ This program is primarily used to set the
>>>> security context
>>>> (extended attributes) on one or more files.
>>>> .P
>>>> It can also be run at any other time to correct inconsistent
>>>> labels, to add
>>>> -support for newly-installed policy or, by using the \-n option,
>>>> to passively
>>>> +support for newly-installed policy or, by using the
>>>> +.B \-n
>>>> +option, to passively
>>>> check whether the file contexts are all set as specified by the
>>>> active policy
>>>> (default behavior).
>>>> .P
>>>> -If a file object does not have a context, restorecon will write
>>>> the default
>>>> +If a file object does not have a context,
>>>> +.B restorecon
>>>> +will write the default
>>>> context to the file object's extended attributes. If a file
>>>> object has a
>>>> -context, restorecon will only modify the type portion of the
>>>> security context.
>>>> -The \-F option will force a replacement of the entire context.
>>>> +context,
>>>> +.B restorecon
>>>> +will only modify the type portion of the security context.
>>>> +The
>>>> +.B \-F
>>>> +option will force a replacement of the entire context.
>>>> .P
>>>> It is the same executable as
>>>> .BR setfiles
>>>> @@ -33,11 +64,15 @@ but operates in a slightly different manner
>>>> depending on its argv[0].
>>>>
>>>> .SH "OPTIONS"
>>>> .TP
>>>> -.B \-e directory
>>>> +.BI \-e \ directory
>>>> exclude a directory (repeat the option to exclude more than one
>>>> directory, Requires full path).
>>>> .TP
>>>> -.B \-f infilename
>>>> -infilename contains a list of files to be processed. Use \- for
>>>> stdin.
>>>> +.BI \-f \ infilename
>>>> +.I infilename
>>>> +contains a list of files to be processed. Use
>>>> +.RB \*(lq \- \*(rq
>>>> +for
>>>> +.BR stdin .
>>>> .TP
>>>> .B \-F
>>>> Force reset of context to match file_context for customizable
>>>> files, and the
>>>> @@ -56,6 +91,14 @@ there are no errors. See the
>>>> .B NOTES
>>>> section for further details.
>>>> .TP
>>>> +.B \-D
>>>> +do not set or update any directory SHA1 digests. Use this option
>>>> to
>>>> +effectively disable usage of the
>>>> +.IR security.restorecon_last
>>>> +extended attribute. Note that using this option will override
>>>> the
>>>> +.B \-I
>>>> +option.
>>>> +.TP
>>>> .B \-m
>>>> do not read
>>>> .B /proc/mounts
>>>> @@ -64,9 +107,10 @@ Setting this option is useful where there is
>>>> a non-seclabel fs mounted with a
>>>> seclabel fs mounted on a directory below this.
>>>> .TP
>>>> .B \-n
>>>> -don't change any file labels (passive check). To display the
>>>> files whose labels would be changed, add \-v.
>>>> +don't change any file labels (passive check). To display the
>>>> files whose labels would be changed, add
>>>> +.BR \-v .
>>>> .TP
>>>> -.B \-o outfilename
>>>> +.BI \-o \ outfilename
>>>> Deprecated, SELinux policy will probably block this access. Use
>>>> shell redirection to save list of files with incorrect context in
>>>> filename.
>>>> .TP
>>>> .B \-p
>>>> @@ -106,7 +150,7 @@ option of GNU
>>>> produces input suitable for this mode.
>>>> .TP
>>>> .SH "ARGUMENTS"
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> The pathname for the file(s) to be relabeled.
>>>> .SH "NOTES"
>>>> .IP "1." 4
>>>> @@ -115,7 +159,7 @@ does not follow symbolic links and by default
>>>> it does not
>>>> operate recursively on directories.
>>>> .IP "2." 4
>>>> If the
>>>> -.B pathname
>>>> +.I pathname
>>>> specifies the root directory and the
>>>> .B \-vR
>>>> or
>>>> @@ -135,12 +179,12 @@ will write an SHA1 digest of the default
>>>> specfiles set to an extended
>>>> attribute named
>>>> .IR security.restorecon_last
>>>> to the directory specified in each
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> once the relabeling has been completed successfully. This digest
>>>> will be
>>>> checked should
>>>> .B restorecon
>>>> be rerun with the same
>>>> -.B pathname
>>>> +.I pathname
>>>> parameters. See
>>>> .BR selinux_restorecon (3)
>>>> for further details.
>>>> @@ -148,7 +192,7 @@ for further details.
>>>> The
>>>> .B \-I
>>>> option will ignore the SHA1 digest from each directory specified
>>>> in
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> and provided the
>>>> .B \-n
>>>> option is NOT set and recursive mode is set, files will be
>>>> relabeled as
>>>> diff --git a/policycoreutils/setfiles/setfiles.8
>>>> b/policycoreutils/setfiles/setfiles.8
>>>> index 35e38b2..11bc335 100644
>>>> --- a/policycoreutils/setfiles/setfiles.8
>>>> +++ b/policycoreutils/setfiles/setfiles.8
>>>> @@ -4,7 +4,23 @@ setfiles \- set SELinux file security contexts.
>>>>
>>>> .SH "SYNOPSIS"
>>>> .B setfiles
>>>> -.I [\-c policy] [\-d] [\-l] [\-m] [\-n] [\-e directory] [\-o
>>>> filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] [\-I] spec_file
>>>> pathname...
>>>> +.RB [ \-c
>>>> +.IR policy ]
>>>> +.RB [ \-d ]
>>>> +.RB [ \-l ]
>>>> +.RB [ \-m ]
>>>> +.RB [ \-n ]
>>>> +.RB [ \-e
>>>> +.IR directory ]
>>>> +.RB [ \-p ]
>>>> +.RB [ \-s ]
>>>> +.RB [ \-v ]
>>>> +.RB [ \-W ]
>>>> +.RB [ \-F ]
>>>> +.RB [ \-I | \-D ]
>>>> +.I spec_file
>>>> +.IR pathname \ ...
>>>> +
>>>> .SH "DESCRIPTION"
>>>> This manual page describes the
>>>> .BR setfiles
>>>> @@ -16,14 +32,24 @@ them). Usually it is initially run as part
>>>> of the SELinux installation
>>>> process (a step commonly known as labeling).
>>>> .P
>>>> It can also be run at any other time to correct inconsistent
>>>> labels, to add
>>>> -support for newly-installed policy or, by using the \-n option,
>>>> to passively
>>>> +support for newly-installed policy or, by using the
>>>> +.B \-n
>>>> +option, to passively
>>>> check whether the file contexts are all set as specified by the
>>>> active policy
>>>> -(default behavior) or by some other policy (see the \-c option).
>>>> +(default behavior) or by some other policy (see the
>>>> +.B \-c
>>>> +option).
>>>> .P
>>>> -If a file object does not have a context, setfiles will write
>>>> the default
>>>> +If a file object does not have a context,
>>>> +.B setfiles
>>>> +will write the default
>>>> context to the file object's extended attributes. If a file
>>>> object has a
>>>> -context, setfiles will only modify the type portion of the
>>>> security context.
>>>> -The \-F option will force a replacement of the entire context.
>>>> +context,
>>>> +.B setfiles
>>>> +will only modify the type portion of the security context.
>>>> +The
>>>> +.B \-F
>>>> +option will force a replacement of the entire context.
>>>> .SH "OPTIONS"
>>>> .TP
>>>> .B \-c
>>>> @@ -33,11 +59,15 @@ check the validity of the contexts against
>>>> the specified binary policy.
>>>> show what specification matched each file (do not abort
>>>> validation
>>>> after ABORT_ON_ERRORS errors).
>>>> .TP
>>>> -.B \-e directory
>>>> +.BI \-e \ directory
>>>> directory to exclude (repeat option for more than one
>>>> directory).
>>>> .TP
>>>> -.B \-f
>>>> -take a list of files to be processed from an input file.
>>>> +.BI \-f \ infilename
>>>> +.I infilename
>>>> +contains a list of files to be processed. Use
>>>> +.RB \*(lq \- \*(rq
>>>> +for
>>>> +.BR stdin .
>>>> .TP
>>>> .B \-F
>>>> Force reset of context to match file_context for customizable
>>>> files, and the
>>>> @@ -57,6 +87,14 @@ there are no errors. See the
>>>> .B NOTES
>>>> section for further details.
>>>> .TP
>>>> +.B \-D
>>>> +do not set or update any directory SHA1 digests. Use this option
>>>> to
>>>> +effectively disable usage of the
>>>> +.IR security.restorecon_last
>>>> +extended attribute. Note that using this option will override
>>>> the
>>>> +.B \-I
>>>> +option.
>>>> +.TP
>>>> .B \-l
>>>> log changes in file labels to syslog.
>>>> .TP
>>>> @@ -70,7 +108,7 @@ seclabel fs mounted on a directory below this.
>>>> .B \-n
>>>> don't change any file labels (passive check).
>>>> .TP
>>>> -.B \-o filename
>>>> +.BI \-o \ filename
>>>> Deprecated, SELinux policy will probably block this access. Use
>>>> shell redirection to save list of files with incorrect context in
>>>> filename.
>>>> .TP
>>>> .B \-p
>>>> @@ -84,15 +122,18 @@ options are mutually exclusive.
>>>> .B \-q
>>>> Deprecated, was only used to stop printing inode association
>>>> parameters.
>>>> .TP
>>>> -.B \-r rootpath
>>>> +.BI \-r \ rootpath
>>>> use an alternate root path. Used in meta-selinux for
>>>> OpenEmbedded/Yocto builds
>>>> to label files under
>>>> -.B rootpath
>>>> -as if they were at /
>>>> +.I rootpath
>>>> +as if they were at
>>>> +.B /
>>>> .TP
>>>> .B \-s
>>>> take a list of files from standard input instead of using a
>>>> pathname from the
>>>> -command line (equivalent to \-f \-).
>>>> +command line (equivalent to
>>>> +.RB \*(lq "\-f \-" \*(rq
>>>> +).
>>>> .TP
>>>> .B \-v
>>>> show changes in file labels and output any inode association
>>>> parameters.
>>>> @@ -120,26 +161,43 @@ option of GNU
>>>> produces input suitable for this mode.
>>>>
>>>> .SH "ARGUMENTS"
>>>> -.B spec_file
>>>> -The specification file which contains lines of the following
>>>> form
>>>> -.br
>>>> -.B regexp [ \-type ] ( context | <<none>> )
>>>> -.br
>>>> -The regular expression is anchored at both ends. The optional
>>>> type field
>>>> -specifies the file type as shown in the mode field by the
>>>> -.B ls(1)
>>>> -program, e.g. \-\- to match only regular files or \-d to match
>>>> only
>>>> -directories. The context can be an ordinary security context or
>>>> the
>>>> -string <<none>> to specify that the file is not to have its
>>>> context
>>>> +.TP
>>>> +.I spec_file
>>>> +The specification file which contains lines of the following
>>>> form:
>>>> +.sp
>>>> +.RS
>>>> +.I regexp
>>>> +.RI [ type ]
>>>> +.IR context \ |
>>>> +.B <<none>>
>>>> +.RS
>>>> +The regular expression is anchored at both ends. The optional
>>>> +.I type
>>>> +field specifies the file type as shown in the mode field by the
>>>> +.BR ls (1)
>>>> +program, e.g.
>>>> +.B \-\-
>>>> +to match only regular files or
>>>> +.B \-d
>>>> +to match only
>>>> +directories. The
>>>> +.I context
>>>> +can be an ordinary security context or the
>>>> +string
>>>> +.B <<none>>
>>>> +to specify that the file is not to have its context
>>>> changed.
>>>> .br
>>>> The last matching specification is used. If there are multiple
>>>> hard
>>>> links to a file that match different specifications and those
>>>> specifications indicate different security contexts, then a
>>>> warning is
>>>> displayed but the file is still labeled based on the last
>>>> matching
>>>> -specification other than <<none>>.
>>>> +specification other than
>>>> +.BR <<none>> \|.
>>>> +.RE
>>>> +.RE
>>>> .TP
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> The pathname for the root directory of each file system to be
>>>> relabeled
>>>> or a specific directory within a filesystem that should be
>>>> recursively
>>>> descended and relabeled or the pathname of a file that should be
>>>> @@ -156,7 +214,7 @@ option is used.
>>>> follows symbolic links and operates recursively on directories.
>>>> .IP "2." 4
>>>> If the
>>>> -.B pathname
>>>> +.I pathname
>>>> specifies the root directory and the
>>>> .B \-v
>>>> option is set and the audit system is running, then an audit
>>>> event is
>>>> @@ -171,15 +229,15 @@ will write an SHA1 digest of the
>>>> set to an extended attribute named
>>>> .IR security.restorecon_last
>>>> to the directory specified in each
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> once the relabeling has been completed successfully. This digest
>>>> will be
>>>> checked should
>>>> .B setfiles
>>>> be rerun
>>>> with the same
>>>> -.B spec_file
>>>> +.I spec_file
>>>> and
>>>> -.B pathname
>>>> +.I pathname
>>>> parameters. See
>>>> .BR selinux_restorecon (3)
>>>> for further details.
>>>> @@ -187,7 +245,7 @@ for further details.
>>>> The
>>>> .B \-I
>>>> option will ignore the SHA1 digest from each directory specified
>>>> in
>>>> -.B pathname...
>>>> +.IR pathname \ ...
>>>> and provided the
>>>> .B \-n
>>>> option is NOT set, files will be relabeled as required with the
>>>> digest then
>>>> diff --git a/policycoreutils/setfiles/setfiles.c
>>>> b/policycoreutils/setfiles/setfiles.c
>>>> index b700228..520866e 100644
>>>> --- a/policycoreutils/setfiles/setfiles.c
>>>> +++ b/policycoreutils/setfiles/setfiles.c
>>>> @@ -17,6 +17,7 @@
>>>> static char *policyfile;
>>>> static int warn_no_match;
>>>> static int null_terminated;
>>>> +static int request_digest;
>>>> static struct restore_opts r_opts;
>>>> static int nerr;
>>>>
>>>> @@ -42,14 +43,14 @@ void usage(const char *const name)
>>>> {
>>>> if (iamrestorecon) {
>>>> fprintf(stderr,
>>>> - "usage: %s [-iIFmnprRv0] [-e
>>>> excludedir] pathname...\n"
>>>> - "usage: %s [-iIFmnprRv0] [-e
>>>> excludedir] -f filename\n",
>>>> + "usage: %s [-iIDFmnprRv0] [-e
>>>> excludedir] pathname...\n"
>>>> + "usage: %s [-iIDFmnprRv0] [-e
>>>> excludedir] -f filename\n",
>>>> name, name);
>>>> } else {
>>>> fprintf(stderr,
>>>> - "usage: %s [-diIlmnpqvFW] [-e
>>>> excludedir] [-r alt_root_path] spec_file pathname...\n"
>>>> - "usage: %s [-diIlmnpqvFW] [-e
>>>> excludedir] [-r alt_root_path] spec_file -f filename\n"
>>>> - "usage: %s -s [-diIlmnpqvFW]
>>>> spec_file\n"
>>>> + "usage: %s [-diIDlmnpqvFW] [-e
>>>> excludedir] [-r alt_root_path] spec_file pathname...\n"
>>>> + "usage: %s [-diIDlmnpqvFW] [-e
>>>> excludedir] [-r alt_root_path] spec_file -f filename\n"
>>>> + "usage: %s -s [-diIDlmnpqvFW]
>>>> spec_file\n"
>>>> "usage: %s -c policyfile spec_file\n",
>>>> name, name, name, name);
>>>> }
>>>> @@ -147,8 +148,8 @@ int main(int argc, char **argv)
>>>> size_t buf_len;
>>>> const char *base;
>>>> int mass_relabel = 0, errors = 0;
>>>> - const char *ropts = "e:f:hiIlmno:pqrsvFRW0";
>>>> - const char *sopts = "c:de:f:hiIlmno:pqr:svFR:W0";
>>>> + const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
>>>> + const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
>>>> const char *opts;
>>>>
>>>> /* Initialize variables */
>>>> @@ -156,6 +157,7 @@ int main(int argc, char **argv)
>>>> altpath = NULL;
>>>> null_terminated = 0;
>>>> warn_no_match = 0;
>>>> + request_digest = 1;
>>>> policyfile = NULL;
>>>> nerr = 0;
>>>>
>>>> @@ -278,6 +280,12 @@ int main(int argc, char **argv)
>>>> r_opts.ignore_digest =
>>>> SELINUX_RESTORECON_IG
>>>> NORE_DIGEST;
>>>> break;
>>>> + case 'D': /*
>>>> + * Don't request file_contexts digest
>>>> in selabel_open
>>>> + * This will effectively disable usage
>>>> of the
>>>> + * security.restorecon_last extended
>>>> attribute.
>>>> + */
>>>> + request_digest = 0;
>>>> case 'l':
>>>> r_opts.syslog_changes =
>>>> SELINUX_RESTORECON_SY
>>>> SLOG_CHANGES;
>>>> @@ -409,9 +417,9 @@ int main(int argc, char **argv)
>>>> } else if (argc == 1)
>>>> usage(argv[0]);
>>>>
>>>> - /* Set selabel_open options. Always request a digest. */
>>>> + /* Set selabel_open options. */
>>>> r_opts.selabel_opt_validate = (ctx_validate ? (char *)1
>>>> : NULL);
>>>> - r_opts.selabel_opt_digest = (char *)1;
>>>> + r_opts.selabel_opt_digest = (request_digest ? (char *)1
>>>> : NULL);
>>>> r_opts.selabel_opt_path = altpath;
>>>>
>>>> if (nerr)
>>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@xxxxxxxxxxxxx
>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>>> To get help, send an email containing "help" to Selinux-request@tyc
>>> ho.nsa.gov.
>>>
>>
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
