I've got those changes standing by - I'll do a full clone, apply the changes I made online to my tree, and submit the pair using git send-mail. It'll be later this week, long weekend over, work getting in the way again.... P Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP On Tue, May 19, 2020 at 4:11 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Fri, May 15, 2020 at 10:08 PM Peter Whittaker <pww@xxxxxxxxxxxx> wrote: > > Folks, the following patch adds a -x option to restorecon to prevent > > it from crossing filesystem boundaries, as requested in > > https://github.com/SELinuxProject/selinux/issues/208. > > > > As per Stephen Smalley's suggestion, this is accomplished using > > r_opts.xdev = SELINUX_RESTORECON_XDEV; > > > > Please do let me know if there are any errors in this, it's been over > > two decades since I've lurked in majordomo lists and about as long > > since I've contributed a patch via email. (In particular, I am having > > issues with sending plaintext, so spaces in the patch are munged; any > > pointers on correcting than in the gmail web client would be more than > > welcome.) > > > > Thanks, > > > > P > > > > Peter Whittaker > > EdgeKeep Inc. > > www.edgekeep.com > > +1 613 864 5337 > > +1 613 864 KEEP > > > > From: Peter Whittaker <pww@xxxxxxxxxxxx> > > > > As per #208, add the option -x to prevent restorecon from cross file > > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > > iamrestorecon. If setfiles, call usage(). > > > > Signed-off-by: Peter Whittaker <pww@xxxxxxxxxxxx> > > > > From 3a1c4a3e94f18bb240f663fb5fbcff77068e5c4a Mon Sep 17 00:00:00 2001 > > From: Peter Whittaker <pww@xxxxxxxxxxxx> > > Date: Fri, 15 May 2020 13:05:27 -0400 > > Subject: [PATCH] Add restorecon -x to not cross FS boundaries > > > > As per #208, add the option -x to prevent restorecon from cross file > > system boundaries, by setting SELINUX_RESTORECON_XDEV iff > > iamrestorecon. If setfiles, call usage(). > > Since you are adding a new option, please also update the man page > (policycoreutils/setfiles/restorecon.8). > > > --- > > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > > 1 file changed, 9 insertions(+), 2 deletions(-) > > > > diff --git a/policycoreutils/setfiles/setfiles.c > > b/policycoreutils/setfiles/setfiles.c > > index 16bd592ca..2d0224bb6 100644 > > --- a/policycoreutils/setfiles/setfiles.c > > +++ b/policycoreutils/setfiles/setfiles.c > > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void > > usage(const char *const name) > > { > > if (iamrestorecon) { > > fprintf(stderr, > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > > name, name); > > } else { > > fprintf(stderr, > > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > > case '0': > > null_terminated = 1; > > break; > > + case 'x': > > + if (iamrestorecon) { > > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > > + } else { > > + usage(argv[0]); > > + } > > + break; > > case 'h': > > case '?': > > usage(argv[0]); > > -- > > > > > -- > Ondrej Mosnacek <omosnace at redhat dot com> > Software Engineer, Security Technologies > Red Hat, Inc. >
