On Tue, Jul 07, 2020 at 11:43:24AM -0400, Stephen Smalley wrote: > On Tue, Jul 7, 2020 at 10:35 AM Antoine Tenart > <antoine.tenart@xxxxxxxxxxx> wrote: > > > > The -c option allows to check the validity of contexts against a > > specified binary policy. Its use is restricted: no pathname can be used > > when a binary policy is given to setfiles. It's not clear if this is > > intentional as the built-in help and the man page are not stating the > > same thing about this (the man page document -c as a normal option, > > while the built-in help shows it is restricted). > > > > When generating full system images later used with SELinux in enforcing > > mode, the extended attributed of files have to be set by the build > > machine. The issue is setfiles always checks the contexts against a > > policy (ctx_validate = 1) and using an external binary policy is not > > currently possible when using a pathname. This ends up in setfiles > > failing early as the contexts of the target image are not always > > compatible with the ones of the build machine. > > > > This patch reworks a check on optind only made when -c is used, that > > enforced the use of a single argument to allow 1+ arguments, allowing to > > use setfiles with an external binary policy and pathnames. The following > > command is then allowed, as already documented in the man page: > > > > $ setfiles -m -r target/ -c policy.32 file_contexts target/ > > > > Signed-off-by: Antoine Tenart <antoine.tenart@xxxxxxxxxxx> > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > Applied. Thanks!
Attachment:
signature.asc
Description: PGP signature