[PATCH] Add restorecon -x to not cross FS boundaries

Peter Whittaker <pww@xxxxxxxxxxxx> · Fri, 15 May 2020 16:09:14 -0400

Folks, the following patch adds a -x option to restorecon to prevent
it from crossing filesystem boundaries, as requested in
https://github.com/SELinuxProject/selinux/issues/208.

As per Stephen Smalley's suggestion, this is accomplished using
r_opts.xdev = SELINUX_RESTORECON_XDEV;

Please do let me know if there are any errors in this, it's been over
two decades since I've lurked in majordomo lists and about as long
since I've contributed a patch via email. (In particular, I am having
issues with sending plaintext, so spaces in the patch are munged; any
pointers on correcting than in the gmail web client would be more than
welcome.)

Thanks,

P

Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP

From: Peter Whittaker <pww@xxxxxxxxxxxx>

As per #208, add the option -x to prevent restorecon from cross file
system boundaries, by setting SELINUX_RESTORECON_XDEV iff
iamrestorecon. If setfiles, call usage().

Signed-off-by: Peter Whittaker <pww@xxxxxxxxxxxx>

>From 3a1c4a3e94f18bb240f663fb5fbcff77068e5c4a Mon Sep 17 00:00:00 2001
From: Peter Whittaker <pww@xxxxxxxxxxxx>
Date: Fri, 15 May 2020 13:05:27 -0400
Subject: [PATCH] Add restorecon -x to not cross FS boundaries

As per #208, add the option -x to prevent restorecon from cross file
system boundaries, by setting SELINUX_RESTORECON_XDEV iff
iamrestorecon. If setfiles, call usage().
---
 policycoreutils/setfiles/setfiles.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/setfiles/setfiles.c
b/policycoreutils/setfiles/setfiles.c
index 16bd592ca..2d0224bb6 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void
usage(const char *const name)
 {
  if (iamrestorecon) {
  fprintf(stderr,
- "usage:  %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
- "usage:  %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
+ "usage:  %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
+ "usage:  %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
  name, name);
  } else {
  fprintf(stderr,
@@ -386,6 +386,13 @@ int main(int argc, char **argv)
  case '0':
  null_terminated = 1;
  break;
+ case 'x':
+ if (iamrestorecon) {
+ r_opts.xdev = SELINUX_RESTORECON_XDEV;
+ } else {
+ usage(argv[0]);
+ }
+ break;
  case 'h':
  case '?':
  usage(argv[0]);
--






