[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#23868: [PATCH] install: with -Z, set default SELinux context also fo
|
From: |
Pádraig Brady |
|
Subject: |
bug#23868: [PATCH] install: with -Z, set default SELinux context also for directories |
|
Date: |
Wed, 29 Jun 2016 14:10:09 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
On 29/06/16 13:51, Kamil Dudka wrote:
> * doc/coreutils.texi (install invocation): Update -Z documentation.
> * src/install.c (make_ancestor): Set default security context before
> calling mkdir() if the -Z option was given.
> (process_dir): Call restorecon() on the destination directory if the -Z
> option was given.
> (usage): Update -Z documentation.
>
> Reported at https://bugzilla.redhat.com/1339135
> ---
> doc/coreutils.texi | 2 +-
> src/install.c | 33 ++++++++++++++++++++++++++++-----
> 2 files changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/doc/coreutils.texi b/doc/coreutils.texi
> index 47c63db..36cad87 100644
> --- a/doc/coreutils.texi
> +++ b/doc/coreutils.texi
> @@ -9217,7 +9217,7 @@ Print the name of each file before moving it.
> @cindex security context
> This option functions similarly to the @command{restorecon} command,
> by adjusting the SELinux security context according
> -to the system default type for destination files.
> +to the system default type for destination files (and each created
> directory).
>
> @end table
>
> diff --git a/src/install.c b/src/install.c
> index 2ff279c..25159c2 100644
> --- a/src/install.c
> +++ b/src/install.c
> @@ -39,6 +39,7 @@
> #include "prog-fprintf.h"
> #include "quote.h"
> #include "savewd.h"
> +#include "selinux.h"
> #include "stat-time.h"
> #include "utimens.h"
> #include "xstrtol.h"
> @@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options)
> static int
> make_ancestor (char const *dir, char const *component, void *options)
> {
> + struct cp_options const *x = options;
> + if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0
> + && ! ignorable_ctx_err (errno))
> + error (0, errno, _("failed to set default creation context for %s"),
> + quoteaf (dir));
> +
> int r = mkdir (component, DEFAULT_MODE);
> if (r == 0)
> announce_mkdir (dir, options);
> @@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component,
> void *options)
> static int
> process_dir (char *dir, struct savewd *wd, void *options)
> {
> - return (make_dir_parents (dir, wd,
> - make_ancestor, options,
> - dir_mode, announce_mkdir,
> - dir_mode_bits, owner_id, group_id, false)
> + struct cp_options const *x = options;
> +
> + int ret = (make_dir_parents (dir, wd, make_ancestor, options,
> + dir_mode, announce_mkdir,
> + dir_mode_bits, owner_id, group_id, false)
> ? EXIT_SUCCESS
> : EXIT_FAILURE);
> +
> + /* FIXME: Due to the current structure of make_dir_parents()
> + we don't have the facility to call defaultcon() before the
> + final component of DIR is created. So for now, create the
> + final component with the context from previous component
> + and here we set the context for the final component. */
> + if (ret == EXIT_SUCCESS && x->set_security_context)
> + {
> + if (! restorecon (last_component (dir), false, false)
> + && ! ignorable_ctx_err (errno))
> + error (0, errno, _("failed to restore context for %s"),
> + quoteaf (dir));
> + }
> +
> + return ret;
> }
>
> /* Copy file FROM onto file TO, creating TO if necessary.
> @@ -651,7 +674,7 @@ In the 4th form, create all components of the given
> DIRECTORY(ies).\n\
> fputs (_("\
> --preserve-context preserve SELinux security context\n\
> -Z set SELinux security context of destination\n\
> - file to default type\n\
> + file (and each created directory) to default
> type\n\
> --context[=CTX] like -Z, or if CTX is specified then set the\n\
> SELinux or SMACK security context to CTX\n\
> "), stdout);
>
The code looks perfect.
The docs are probably better without (brackets).
A new install/install-Z-selinux.sh test could be added along the lines of
mkdir/restorecon.sh
thanks!
Pádraig.