Remove util/selinux_restorecon.c and tidy up. This is removed as
the functionality is now in policycoreutils/setfiles.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
libselinux/utils/.gitignore | 1 -
libselinux/utils/Makefile | 2 -
libselinux/utils/selinux_restorecon.c | 299 ----------------------------------
3 files changed, 302 deletions(-)
delete mode 100644 libselinux/utils/selinux_restorecon.c
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index ed3bf0b..b4f9f78 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -19,7 +19,6 @@ selabel_lookup
selabel_lookup_best_match
selabel_partial_match
selinux_check_securetty_context
-selinux_restorecon
selinuxenabled
selinuxexeccon
setenforce
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 995f444..5d61031 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -59,8 +59,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
sefcontext_compile: sefcontext_compile.o ../src/regex.o
-selinux_restorecon: LDLIBS += -lsepol
-
all: $(TARGETS)
install: all
diff --git a/libselinux/utils/selinux_restorecon.c b/libselinux/utils/selinux_restorecon.c
deleted file mode 100644
index 4d2b08f..0000000
--- a/libselinux/utils/selinux_restorecon.c
+++ /dev/null
@@ -1,299 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include <errno.h>
-#include <stdbool.h>
-#include <sepol/sepol.h>
-#include <selinux/label.h>
-#include <selinux/restorecon.h>
-
-static char *policyfile;
-
-static char **exclude_list;
-static int exclude_count;
-
-static int validate_context(char **contextp)
-{
- char *context = *contextp, *tmpcon;
-
- if (policyfile) {
- if (sepol_check_context(context) < 0) {
- fprintf(stderr, "Invalid context %s\n", context);
- exit(-1);
- }
- } else if (security_canonicalize_context_raw(context, &tmpcon) == 0) {
- free(context);
- *contextp = tmpcon;
- } else if (errno != ENOENT) {
- fprintf(stderr, "Validate context error: %s\n",
- strerror(errno));
- exit(-1);
- }
-
- return 0;
-}
-
-static __attribute__ ((__noreturn__)) void usage(const char *progname)
-{
- fprintf(stderr,
- "\nusage: %s [-FCnRrdmiIaAsl] [-e dir] [-v|-P]\n"
- "[-x alt_rootpath] [-p policy] [-f specfile] pathname ...\n"
- "\nWhere:\n\t"
- "-F Set the label to that in specfile.\n\t"
- " If not set then reset the \"type\" component of the "
- "label to that\n\t in the specfile.\n\t"
- "-C Check labels even if the stored SHA1 digest matches\n\t"
- " the specfiles SHA1 digest.\n\t"
- "-n Don't change any file labels (passive check).\n\t"
- "-R Recursively change file and directory labels.\n\t"
- "-v Show changes in file labels (-v and -P are mutually "
- " exclusive).\n\t"
- "-P Show progress by printing \"*\" to stdout every 1000 files"
- ",\n\t unless relabeling entire OS, then show percentage complete.\n\t"
- "-r Use realpath(3) to convert pathnames to canonical form.\n\t"
- "-d Prevent descending into directories that have a "
- "different\n\t device number than the pathname from which "
- "the descent began.\n\t"
- "-m Do not automatically read /proc/mounts to determine what\n\t"
- " non-seclabel mounts to exclude from relabeling.\n\t"
- "-e Exclude this directory (add multiple -e entries).\n\t"
- "-i Do not set SELABEL_OPT_DIGEST option when calling "
- " selabel_open(3).\n\t"
- "-I Ignore files that do not exist.\n\t"
- "-a Add an association between an inode and a context.\n\t"
- " If there is a different context that matched the inode,\n\t"
- " then use the first context that matched.\n\t"
- "-A Abort on errors during the file tree walk.\n\t"
- "-s Log any label changes to syslog(3).\n\t"
- "-l Log what specfile context matched each file.\n\t"
- "-x Set alternate rootpath.\n\t"
- "-p Optional binary policy file (also sets validate context "
- "option).\n\t"
- "-f Optional file contexts file.\n\t"
- "pathname One or more paths to relabel.\n\n",
- progname);
- exit(-1);
-}
-
-static void add_exclude(const char *directory)
-{
- char **tmp_list;
-
- if (directory == NULL || directory[0] != '/') {
- fprintf(stderr, "Full path required for exclude: %s.\n",
- directory);
- exit(-1);
- }
-
- /* Add another two entries, one for directory, and the other to
- * terminate the list */
- tmp_list = realloc(exclude_list, sizeof(char *) * (exclude_count + 2));
- if (!tmp_list) {
- fprintf(stderr, "ERROR: realloc failed.\n");
- exit(-1);
- }
- exclude_list = tmp_list;
-
- exclude_list[exclude_count] = strdup(directory);
- if (!exclude_list[exclude_count]) {
- fprintf(stderr, "ERROR: strdup failed.\n");
- exit(-1);
- }
- exclude_count++;
- exclude_list[exclude_count] = NULL;
-}
-
-int main(int argc, char **argv)
-{
- int opt, i;
- unsigned int restorecon_flags = 0;
- char *path = NULL, *digest = NULL, *validate = NULL;
- char *alt_rootpath = NULL;
- FILE *policystream;
- bool ignore_digest = false, require_selinux = true;
- bool verbose = false, progress = false;
-
- struct selabel_handle *hnd = NULL;
- struct selinux_opt selabel_option[] = {
- { SELABEL_OPT_PATH, path },
- { SELABEL_OPT_DIGEST, digest },
- { SELABEL_OPT_VALIDATE, validate }
- };
-
- if (argc < 2)
- usage(argv[0]);
-
- exclude_list = NULL;
- exclude_count = 0;
-
- while ((opt = getopt(argc, argv, "iIFCnRvPrdaAslme:f:p:x:")) > 0) {
- switch (opt) {
- case 'F':
- restorecon_flags |=
- SELINUX_RESTORECON_SET_SPECFILE_CTX;
- break;
- case 'C':
- restorecon_flags |=
- SELINUX_RESTORECON_IGNORE_DIGEST;
- break;
- case 'n':
- restorecon_flags |= SELINUX_RESTORECON_NOCHANGE;
- break;
- case 'R':
- restorecon_flags |= SELINUX_RESTORECON_RECURSE;
- break;
- case 'v':
- if (progress) {
- fprintf(stderr,
- "Progress and Verbose are mutually exclusive\n");
- exit(-1);
- }
- verbose = true;
- restorecon_flags |= SELINUX_RESTORECON_VERBOSE;
- break;
- case 'P':
- if (verbose) {
- fprintf(stderr,
- "Progress and Verbose are mutually exclusive\n");
- exit(-1);
- }
- progress = true;
- restorecon_flags |= SELINUX_RESTORECON_PROGRESS;
- break;
- case 'r':
- restorecon_flags |= SELINUX_RESTORECON_REALPATH;
- break;
- case 'd':
- restorecon_flags |= SELINUX_RESTORECON_XDEV;
- break;
- case 'm':
- restorecon_flags |= SELINUX_RESTORECON_IGNORE_MOUNTS;
- break;
- case 'e':
- add_exclude(optarg);
- break;
- case 'p':
- policyfile = optarg;
-
- policystream = fopen(policyfile, "r");
- if (!policystream) {
- fprintf(stderr,
- "ERROR: opening %s: %s\n",
- policyfile, strerror(errno));
- exit(-1);
- }
-
- if (sepol_set_policydb_from_file(policystream) < 0) {
- fprintf(stderr,
- "ERROR: reading policy %s: %s\n",
- policyfile, strerror(errno));
- exit(-1);
- }
- fclose(policystream);
-
- selinux_set_callback(SELINUX_CB_VALIDATE,
- (union selinux_callback)&validate_context);
- require_selinux = false;
- break;
- case 'f':
- path = optarg;
- break;
- case 'i':
- ignore_digest = true;
- break;
- case 'I':
- restorecon_flags |= SELINUX_RESTORECON_IGNORE_NOENTRY;
- break;
- case 'a':
- restorecon_flags |= SELINUX_RESTORECON_ADD_ASSOC;
- break;
- case 'A':
- restorecon_flags |= SELINUX_RESTORECON_ABORT_ON_ERROR;
- break;
- case 's':
- restorecon_flags |= SELINUX_RESTORECON_SYSLOG_CHANGES;
- break;
- case 'l':
- restorecon_flags |= SELINUX_RESTORECON_LOG_MATCHES;
- break;
- case 'x':
- alt_rootpath = optarg;
- break;
- default:
- usage(argv[0]);
- }
- }
-
- if (require_selinux && (is_selinux_enabled() <= 0)) {
- fprintf(stderr,
- "SELinux must be enabled to perform this operation.\n");
- exit(-1);
- }
-
- if (optind >= argc) {
- fprintf(stderr, "No pathname specified\n");
- exit(-1);
- }
-
- /* If any of these set then do our own selabel_open and pass
- * handle to selinux_restorecon */
- if (ignore_digest || path || policyfile) {
- if (path)
- selabel_option[0].value = path;
- else
- selabel_option[0].value = NULL;
-
- if (ignore_digest)
- selabel_option[1].value = NULL;
- else
- selabel_option[1].value = (char *)1;
-
- if (policyfile) /* Validate */
- selabel_option[2].value = (char *)1;
- else
- selabel_option[2].value = NULL;
-
- hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 3);
- if (!hnd) {
- switch (errno) {
- case EOVERFLOW:
- fprintf(stderr, "ERROR: Number of specfiles or"
- " specfile buffer caused an overflow.\n");
- break;
- default:
- fprintf(stderr, "ERROR: selabel_open: %s\n",
- strerror(errno));
- }
- exit(-1);
- }
- selinux_restorecon_set_sehandle(hnd);
- }
-
- if (exclude_list)
- selinux_restorecon_set_exclude_list
- ((const char **)exclude_list);
-
- if (alt_rootpath)
- selinux_restorecon_set_alt_rootpath(alt_rootpath);
-
- /* Call restorecon for each path in list */
- for (i = optind; i < argc; i++) {
- if (selinux_restorecon(argv[i], restorecon_flags) < 0) {
- fprintf(stderr, "ERROR: selinux_restorecon: %s\n",
- strerror(errno));
- exit(-1);
- }
- }
-
- if (exclude_list) {
- for (i = 0; exclude_list[i]; i++)
- free(exclude_list[i]);
- free(exclude_list);
- }
-
- if (hnd)
- selabel_close(hnd);
-
- return 0;
-}
--
2.9.3
