On Tue, May 26, 2020 at 1:04 PM Peter Whittaker <pww@xxxxxxxxxxxx> wrote: > > Folks, this patch adds and documents a "-x" option for restorecon > to prevent it from crossing file system boundaries, as requested > in github issue #208. > > P > > Signed-off-by: Peter Whittaker <pww@xxxxxxxxxxxx> You didn't update the actual ropts string so restorecon -x fails even after this patch. Did you test your change? In your patch description, you can put the following line before your Signed-off-by and drop the separate references to github issue #208 in the subject line and body: Fixes: https://github.com/SELinuxProject/selinux/issues/208 > --- > policycoreutils/setfiles/restorecon.8 | 7 +++++++ > policycoreutils/setfiles/setfiles.c | 11 +++++++++-- > 2 files changed, 16 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 > index bbfc83fe..0d1930de 100644 > --- a/policycoreutils/setfiles/restorecon.8 > +++ b/policycoreutils/setfiles/restorecon.8 > @@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts. > .RB [ \-F ] > .RB [ \-W ] > .RB [ \-I | \-D ] > +.RB [ \-x ] > .RB [ \-e > .IR directory ] > .IR pathname \ ... > @@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts. > .RB [ \-F ] > .RB [ \-W ] > .RB [ \-I | \-D ] > +.RB [ \-x ] > > .SH "DESCRIPTION" > This manual page describes the > @@ -153,6 +155,11 @@ option of GNU > .B find > produces input suitable for this mode. > .TP > +.B \-x > +prevent > +.B restorecon > +from crossing file system boundaries. > +.TP > .SH "ARGUMENTS" > .IR pathname \ ... > The pathname for the file(s) to be relabeled. > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c > index 16bd592c..afd579e3 100644 > --- a/policycoreutils/setfiles/setfiles.c > +++ b/policycoreutils/setfiles/setfiles.c > @@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name) > { > if (iamrestorecon) { > fprintf(stderr, > - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" > - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" > + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", > name, name); > } else { > fprintf(stderr, > @@ -386,6 +386,13 @@ int main(int argc, char **argv) > case '0': > null_terminated = 1; > break; > + case 'x': > + if (iamrestorecon) { > + r_opts.xdev = SELINUX_RESTORECON_XDEV; > + } else { > + usage(argv[0]); > + } > + break; > case 'h': > case '?': > usage(argv[0]); > -- > 2.20.1 >
