bug#23868: [PATCH] install: with -Z, set default SELinux context also for directories
On 29/06/16 13:51, Kamil Dudka wrote: > * doc/coreutils.texi (install invocation): Update -Z documentation. > * src/install.c (make_ancestor): Set default security context before > calling mkdir() if the -Z option was given. > (process_dir): Call restorecon() on the destination directory if the -Z > option was given. > (usage): Update -Z documentation. > > Reported at https://bugzilla.redhat.com/1339135 > --- > doc/coreutils.texi | 2 +- > src/install.c | 33 - > 2 files changed, 29 insertions(+), 6 deletions(-) > > diff --git a/doc/coreutils.texi b/doc/coreutils.texi > index 47c63db..36cad87 100644 > --- a/doc/coreutils.texi > +++ b/doc/coreutils.texi > @@ -9217,7 +9217,7 @@ Print the name of each file before moving it. > @cindex security context > This option functions similarly to the @command{restorecon} command, > by adjusting the SELinux security context according > -to the system default type for destination files. > +to the system default type for destination files (and each created > directory). > > @end table > > diff --git a/src/install.c b/src/install.c > index 2ff279c..25159c2 100644 > --- a/src/install.c > +++ b/src/install.c > @@ -39,6 +39,7 @@ > #include "prog-fprintf.h" > #include "quote.h" > #include "savewd.h" > +#include "selinux.h" > #include "stat-time.h" > #include "utimens.h" > #include "xstrtol.h" > @@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options) > static int > make_ancestor (char const *dir, char const *component, void *options) > { > + struct cp_options const *x = options; > + if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0 > + && ! ignorable_ctx_err (errno)) > +error (0, errno, _("failed to set default creation context for %s"), > + quoteaf (dir)); > + >int r = mkdir (component, DEFAULT_MODE); >if (r == 0) > announce_mkdir (dir, options); > @@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component, > void *options) > static int > process_dir (char *dir, struct savewd *wd, void *options) > { > - return (make_dir_parents (dir, wd, > -make_ancestor, options, > -dir_mode, announce_mkdir, > -dir_mode_bits, owner_id, group_id, false) > + struct cp_options const *x = options; > + > + int ret = (make_dir_parents (dir, wd, make_ancestor, options, > + dir_mode, announce_mkdir, > + dir_mode_bits, owner_id, group_id, false) >? EXIT_SUCCESS >: EXIT_FAILURE); > + > + /* FIXME: Due to the current structure of make_dir_parents() > + we don't have the facility to call defaultcon() before the > + final component of DIR is created. So for now, create the > + final component with the context from previous component > + and here we set the context for the final component. */ > + if (ret == EXIT_SUCCESS && x->set_security_context) > +{ > + if (! restorecon (last_component (dir), false, false) > + && ! ignorable_ctx_err (errno)) > +error (0, errno, _("failed to restore context for %s"), > + quoteaf (dir)); > +} > + > + return ret; > } > > /* Copy file FROM onto file TO, creating TO if necessary. > @@ -651,7 +674,7 @@ In the 4th form, create all components of the given > DIRECTORY(ies).\n\ >fputs (_("\ >--preserve-context preserve SELinux security context\n\ >-Z set SELinux security context of destination\n\ > -file to default type\n\ > +file (and each created directory) to default > type\n\ >--context[=CTX] like -Z, or if CTX is specified then set the\n\ > SELinux or SMACK security context to CTX\n\ > "), stdout); > The code looks perfect. The docs are probably better without (brackets). A new install/install-Z-selinux.sh test could be added along the lines of mkdir/restorecon.sh thanks! Pádraig.
bug#23868: [PATCH] install: with -Z, set default SELinux context also for directories
* doc/coreutils.texi (install invocation): Update -Z documentation. * src/install.c (make_ancestor): Set default security context before calling mkdir() if the -Z option was given. (process_dir): Call restorecon() on the destination directory if the -Z option was given. (usage): Update -Z documentation. Reported at https://bugzilla.redhat.com/1339135 --- doc/coreutils.texi | 2 +- src/install.c | 33 - 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/doc/coreutils.texi b/doc/coreutils.texi index 47c63db..36cad87 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -9217,7 +9217,7 @@ Print the name of each file before moving it. @cindex security context This option functions similarly to the @command{restorecon} command, by adjusting the SELinux security context according -to the system default type for destination files. +to the system default type for destination files (and each created directory). @end table diff --git a/src/install.c b/src/install.c index 2ff279c..25159c2 100644 --- a/src/install.c +++ b/src/install.c @@ -39,6 +39,7 @@ #include "prog-fprintf.h" #include "quote.h" #include "savewd.h" +#include "selinux.h" #include "stat-time.h" #include "utimens.h" #include "xstrtol.h" @@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options) static int make_ancestor (char const *dir, char const *component, void *options) { + struct cp_options const *x = options; + if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0 + && ! ignorable_ctx_err (errno)) +error (0, errno, _("failed to set default creation context for %s"), + quoteaf (dir)); + int r = mkdir (component, DEFAULT_MODE); if (r == 0) announce_mkdir (dir, options); @@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component, void *options) static int process_dir (char *dir, struct savewd *wd, void *options) { - return (make_dir_parents (dir, wd, -make_ancestor, options, -dir_mode, announce_mkdir, -dir_mode_bits, owner_id, group_id, false) + struct cp_options const *x = options; + + int ret = (make_dir_parents (dir, wd, make_ancestor, options, + dir_mode, announce_mkdir, + dir_mode_bits, owner_id, group_id, false) ? EXIT_SUCCESS : EXIT_FAILURE); + + /* FIXME: Due to the current structure of make_dir_parents() + we don't have the facility to call defaultcon() before the + final component of DIR is created. So for now, create the + final component with the context from previous component + and here we set the context for the final component. */ + if (ret == EXIT_SUCCESS && x->set_security_context) +{ + if (! restorecon (last_component (dir), false, false) + && ! ignorable_ctx_err (errno)) +error (0, errno, _("failed to restore context for %s"), + quoteaf (dir)); +} + + return ret; } /* Copy file FROM onto file TO, creating TO if necessary. @@ -651,7 +674,7 @@ In the 4th form, create all components of the given DIRECTORY(ies).\n\ fputs (_("\ --preserve-context preserve SELinux security context\n\ -Z set SELinux security context of destination\n\ -file to default type\n\ +file (and each created directory) to default type\n\ --context[=CTX] like -Z, or if CTX is specified then set the\n\ SELinux or SMACK security context to CTX\n\ "), stdout); -- 2.5.5
bug#23866: stty sane behaviour.
On 29/06/16 02:06, Rich Burridge wrote: > On 06/28/2016 05:05 PM, Pádraig Brady wrote: >> On 29/06/16 00:03, Rich Burridge wrote: >>> ... >> Thanks for the detailed analysis. >> It looks like this was already handled and we need to >> expand the conditions where this is done. The current code is: >> >>/* SunOS 5.3 loses (^Z doesn't work) if 'swtch' is the same as 'susp'. >> So the default is to disable 'swtch.' */ >>#if defined __sparc__ && defined __svr4__ >># undef CSWTCH >># define CSWTCH _POSIX_VDISABLE >>#endif >> >> How about we guard this with just: >> >>#ifdef __sun >>#endif > > Assuming you mean: > > --- src/stty.c.orig 2016-06-28 17:48:25.580754994 -0700 > +++ src/stty.c 2016-06-28 17:51:21.725276863 -0700 > @@ -120,7 +120,7 @@ > > /* SunOS 5.3 loses (^Z doesn't work) if 'swtch' is the same as 'susp'. > So the default is to disable 'swtch.' */ > -#if defined __sparc__ && defined __svr4__ > +#if defined __sun > # undef CSWTCH > # define CSWTCH _POSIX_VDISABLE > #endif > > and I'm sure you do, this works great. Cool, pushed at: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v8.25-41-gdfae782 thanks, Pádraig.