On Tue, Jul 7, 2020 at 10:35 AM Antoine Tenart <antoine.tenart@xxxxxxxxxxx> wrote: > > The -c option allows to check the validity of contexts against a > specified binary policy. Its use is restricted: no pathname can be used > when a binary policy is given to setfiles. It's not clear if this is > intentional as the built-in help and the man page are not stating the > same thing about this (the man page document -c as a normal option, > while the built-in help shows it is restricted). > > When generating full system images later used with SELinux in enforcing > mode, the extended attributed of files have to be set by the build > machine. The issue is setfiles always checks the contexts against a > policy (ctx_validate = 1) and using an external binary policy is not > currently possible when using a pathname. This ends up in setfiles > failing early as the contexts of the target image are not always > compatible with the ones of the build machine. > > This patch reworks a check on optind only made when -c is used, that > enforced the use of a single argument to allow 1+ arguments, allowing to > use setfiles with an external binary policy and pathnames. The following > command is then allowed, as already documented in the man page: > > $ setfiles -m -r target/ -c policy.32 file_contexts target/ > > Signed-off-by: Antoine Tenart <antoine.tenart@xxxxxxxxxxx> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
