Laszlo Ersek <lersek@xxxxxxxxxx> writes: > Currently, if the SELINUX_RESTORECON_ABORT_ON_ERROR flag is clear, then > selinux_restorecon[_parallel]() does not abort the file tree walk upon an > error, but the function itself fails the same, with the same (-1) return > value. This in turn is reported by the setfiles(8) utility to its parent > process with the same exit code (255). > > In libguestfs we want to proceed after setfiles(8) fails *at most* with > such errors that occur during the file tree walk. We need setfiles(8) to > exit with a distinct exit status in that situation. > > For this, introduce the SELINUX_RESTORECON_COUNT_ERRORS flag, and the > corresponding selinux_restorecon_get_skipped_errors() function, for > selinux_restorecon[_parallel]() to count, but otherwise ignore, errors > during the file tree walk. When no other kind of error occurs, the > relabeling functions will return zero, and the caller can fetch the number > of errors ignored during the file tree walk with > selinux_restorecon_get_skipped_errors(). > > Importantly, when at least one such error is skipped, we don't write > partial match digests for subdirectories, as any masked error means that > any subdirectory may not have been completely relabeled. > > Cc: "Richard W.M. Jones" <rjones@xxxxxxxxxx> > Cc: Petr Lautrbach <plautrba@xxxxxxxxxx> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1794518 > Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> > --- [...] > --- a/libselinux/src/libselinux.map > +++ b/libselinux/src/libselinux.map > @@ -245,3 +245,8 @@ LIBSELINUX_3.4 { > global: > selinux_restorecon_parallel; > } LIBSELINUX_1.0; > + > +LIBSELINUX_3.5 { It's still possible to put this into LIBSELINUX_3.4. Next week we will release 3.4-rc3 and GA of 3.4 is planned two weeks later. > + global: > + selinux_restorecon_get_skipped_errors; > +} LIBSELINUX_3.4; > -- > 2.19.1.3.g30247aa5d201
