On Fri, May 15, 2020 at 10:08 PM Peter Whittaker <pww@xxxxxxxxxxxx> wrote: > Folks, the following patch adds a -x option to restorecon to prevent > it from crossing filesystem boundaries, as requested in > https://github.com/SELinuxProject/selinux/issues/208. > > As per Stephen Smalley's suggestion, this is accomplished using > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > Please do let me know if there are any errors in this, it's been over > two decades since I've lurked in majordomo lists and about as long > since I've contributed a patch via email. (In particular, I am having > issues with sending plaintext, so spaces in the patch are munged; any > pointers on correcting than in the gmail web client would be more than > welcome.) > > Thanks, > > P > > Peter Whittaker > EdgeKeep Inc. > www.edgekeep.com > +1 613 864 5337 > +1 613 864 KEEP > > From: Peter Whittaker <pww@xxxxxxxxxxxx> > > As per #208, add the option -x to prevent restorecon from cross file > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > iamrestorecon. If setfiles, call usage(). > > Signed-off-by: Peter Whittaker <pww@xxxxxxxxxxxx> > > From 3a1c4a3e94f18bb240f663fb5fbcff77068e5c4a Mon Sep 17 00:00:00 2001 > From: Peter Whittaker <pww@xxxxxxxxxxxx> > Date: Fri, 15 May 2020 13:05:27 -0400 > Subject: [PATCH] Add restorecon -x to not cross FS boundaries > > As per #208, add the option -x to prevent restorecon from cross file > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > iamrestorecon. If setfiles, call usage(). Since you are adding a new option, please also update the man page (policycoreutils/setfiles/restorecon.8). > --- > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/setfiles/setfiles.c > b/policycoreutils/setfiles/setfiles.c > index 16bd592ca..2d0224bb6 100644 > --- a/policycoreutils/setfiles/setfiles.c > +++ b/policycoreutils/setfiles/setfiles.c > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void > usage(const char *const name) > { > if (iamrestorecon) { > fprintf(stderr, > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > name, name); > } else { > fprintf(stderr, > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > case '0': > null_terminated = 1; > break; > + case 'x': > + if (iamrestorecon) { > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > + } else { > + usage(argv[0]); > + } > + break; > case 'h': > case '?': > usage(argv[0]); > -- > -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
