[PATCH 2/2] setfiles: add option to modify user and role portions

Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> · Wed, 26 Feb 2025 10:01:26 +0100

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Useful for data of MCS separated applications, like containers.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 policycoreutils/setfiles/restore.c    |  1 +
 policycoreutils/setfiles/restore.h    |  1 +
 policycoreutils/setfiles/restorecon.8 | 10 +++++++++-
 policycoreutils/setfiles/setfiles.8   | 11 ++++++++++-
 policycoreutils/setfiles/setfiles.c   | 18 +++++++++++-------
 5 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index d045e948..2c031ccc 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -36,6 +36,7 @@ void restore_init(struct restore_opts *opts)
 	opts->restorecon_flags = 0;
 	opts->restorecon_flags = opts->nochange | opts->verbose |
 			   opts->progress | opts->set_specctx  |
+			   opts->set_user_role |
 			   opts->add_assoc | opts->ignore_digest |
 			   opts->recurse | opts->userealpath |
 			   opts->xdev | opts->abort_on_error |
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
index a5af81fe..95afb960 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -24,6 +24,7 @@ struct restore_opts {
 	unsigned int progress;
 	unsigned int mass_relabel;
 	unsigned int set_specctx;
+	unsigned int set_user_role;
 	unsigned int add_assoc;
 	unsigned int ignore_digest;
 	unsigned int recurse;
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index c3cc5c9b..1134420e 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -11,6 +11,7 @@ restorecon \- restore file(s) default SELinux security contexts.
 .RB [ \-v ]
 .RB [ \-i ]
 .RB [ \-F ]
+.RB [ \-U ]
 .RB [ \-W ]
 .RB [ \-I | \-D ]
 .RB [ \-x ]
@@ -30,6 +31,7 @@ restorecon \- restore file(s) default SELinux security contexts.
 .RB [ \-v ]
 .RB [ \-i ]
 .RB [ \-F ]
+.RB [ \-U ]
 .RB [ \-W ]
 .RB [ \-I | \-D ]
 .RB [ \-x ]
@@ -60,7 +62,9 @@ context,
 will only modify the type portion of the security context.
 The
 .B \-F
-option will force a replacement of the entire context.
+and
+.B \-U
+options will force a replacement of the entire context.
 .P
 If a file is labeled with
 .BR customizable
@@ -88,6 +92,10 @@ for
 Force reset of context to match file_context for customizable files, and the
 default file context, changing the user, role, range portion as well as the type.
 .TP
+.B \-U
+In addition to the type portion also change the user and role portions, but
+not the range portion.
+.TP
 .B \-h, \-?
 display usage information and exit.
 .TP
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ee017250..eabf0a1c 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -19,6 +19,7 @@ setfiles \- set SELinux file security contexts.
 .RB [ \-v ]
 .RB [ \-W ]
 .RB [ \-F ]
+.RB [ \-U ]
 .RB [ \-I | \-D ]
 .RB [ \-T
 .IR nthreads ]
@@ -52,8 +53,12 @@ context,
 .B setfiles
 will only modify the type portion of the security context.
 The
+.B \-U
+option will also modify the user and role portions of the security context.
+The
 .B \-F
-option will force a replacement of the entire context.
+option will force a replacement of the entire context, including the range
+portion of the security context and modify customizable files.
 .SH "OPTIONS"
 .TP
 .B \-c
@@ -88,6 +93,10 @@ Force reset of context to match file_context for customizable files, and the
 default file context, changing the user, role, range portion as well as the
 type.
 .TP
+.B \-U
+In addition to the type portion also change the user and role portions, but
+not the range portion.
+.TP
 .B \-h, \-?
 display usage information and exit.
 .TP
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 88a27241..ad09f840 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -35,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
 {
 	if (iamrestorecon) {
 		fprintf(stderr,
-			"usage:  %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
-			"usage:  %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
+			"usage:  %s [-iIDFUmnprRv0xT] [-e excludedir] pathname...\n"
+			"usage:  %s [-iIDFUmnprRv0xT] [-e excludedir] -f filename\n",
 			name, name);
 	} else {
 		fprintf(stderr,
-			"usage:  %s [-diIDlmnpqvCEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
-			"usage:  %s [-diIDlmnpqvCEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
-			"usage:  %s -s [-diIDlmnpqvFWT] spec_file\n",
+			"usage:  %s [-diIDlmnpqvCEFUWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+			"usage:  %s [-diIDlmnpqvCEFUWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+			"usage:  %s -s [-diIDlmnpqvFUWT] spec_file\n",
 			name, name, name);
 	}
 	exit(-1);
@@ -146,8 +146,8 @@ int main(int argc, char **argv)
 	size_t buf_len, nthreads = 1;
 	const char *base;
 	int errors = 0;
-	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
-	const char *sopts = "c:de:f:hiIDlmno:pqr:svCEFR:W0T:";
+	const char *ropts = "e:f:hiIDlmno:pqrsvFURW0xT:";
+	const char *sopts = "c:de:f:hiIDlmno:pqr:svCEFUR:W0T:";
 	const char *opts;
 	union selinux_callback cb;
 	long unsigned skipped_errors;
@@ -298,6 +298,10 @@ int main(int argc, char **argv)
 			r_opts.set_specctx =
 					   SELINUX_RESTORECON_SET_SPECFILE_CTX;
 			break;
+		case 'U':
+			r_opts.set_user_role =
+					   SELINUX_RESTORECON_SET_USER_ROLE;
+			break;
 		case 'm':
 			r_opts.ignore_mounts =
 					   SELINUX_RESTORECON_IGNORE_MOUNTS;
-- 
2.48.1








