bug#23868: [PATCH] install: with -Z, set default SELinux context also for directories
On 29/06/16 13:51, Kamil Dudka wrote:
> * doc/coreutils.texi (install invocation): Update -Z documentation.
> * src/install.c (make_ancestor): Set default security context before
> calling mkdir() if the -Z option was given.
> (process_dir): Call restorecon() on the destination directory if the -Z
> option was given.
> (usage): Update -Z documentation.
>
> Reported at https://bugzilla.redhat.com/1339135
> ---
> doc/coreutils.texi | 2 +-
> src/install.c | 33 -
> 2 files changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/doc/coreutils.texi b/doc/coreutils.texi
> index 47c63db..36cad87 100644
> --- a/doc/coreutils.texi
> +++ b/doc/coreutils.texi
> @@ -9217,7 +9217,7 @@ Print the name of each file before moving it.
> @cindex security context
> This option functions similarly to the @command{restorecon} command,
> by adjusting the SELinux security context according
> -to the system default type for destination files.
> +to the system default type for destination files (and each created
> directory).
>
> @end table
>
> diff --git a/src/install.c b/src/install.c
> index 2ff279c..25159c2 100644
> --- a/src/install.c
> +++ b/src/install.c
> @@ -39,6 +39,7 @@
> #include "prog-fprintf.h"
> #include "quote.h"
> #include "savewd.h"
> +#include "selinux.h"
> #include "stat-time.h"
> #include "utimens.h"
> #include "xstrtol.h"
> @@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options)
> static int
> make_ancestor (char const *dir, char const *component, void *options)
> {
> + struct cp_options const *x = options;
> + if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0
> + && ! ignorable_ctx_err (errno))
> +error (0, errno, _("failed to set default creation context for %s"),
> + quoteaf (dir));
> +
>int r = mkdir (component, DEFAULT_MODE);
>if (r == 0)
> announce_mkdir (dir, options);
> @@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component,
> void *options)
> static int
> process_dir (char *dir, struct savewd *wd, void *options)
> {
> - return (make_dir_parents (dir, wd,
> -make_ancestor, options,
> -dir_mode, announce_mkdir,
> -dir_mode_bits, owner_id, group_id, false)
> + struct cp_options const *x = options;
> +
> + int ret = (make_dir_parents (dir, wd, make_ancestor, options,
> + dir_mode, announce_mkdir,
> + dir_mode_bits, owner_id, group_id, false)
>? EXIT_SUCCESS
>: EXIT_FAILURE);
> +
> + /* FIXME: Due to the current structure of make_dir_parents()
> + we don't have the facility to call defaultcon() before the
> + final component of DIR is created. So for now, create the
> + final component with the context from previous component
> + and here we set the context for the final component. */
> + if (ret == EXIT_SUCCESS && x->set_security_context)
> +{
> + if (! restorecon (last_component (dir), false, false)
> + && ! ignorable_ctx_err (errno))
> +error (0, errno, _("failed to restore context for %s"),
> + quoteaf (dir));
> +}
> +
> + return ret;
> }
>
> /* Copy file FROM onto file TO, creating TO if necessary.
> @@ -651,7 +674,7 @@ In the 4th form, create all components of the given
> DIRECTORY(ies).\n\
>fputs (_("\
>--preserve-context preserve SELinux security context\n\
>-Z set SELinux security context of destination\n\
> -file to default type\n\
> +file (and each created directory) to default
> type\n\
>--context[=CTX] like -Z, or if CTX is specified then set the\n\
> SELinux or SMACK security context to CTX\n\
> "), stdout);
>
The code looks perfect.
The docs are probably better without (brackets).
A new install/install-Z-selinux.sh test could be added along the lines of
mkdir/restorecon.sh
thanks!
Pádraig.
bug#23868: [PATCH] install: with -Z, set default SELinux context also for directories
* doc/coreutils.texi (install invocation): Update -Z documentation.
* src/install.c (make_ancestor): Set default security context before
calling mkdir() if the -Z option was given.
(process_dir): Call restorecon() on the destination directory if the -Z
option was given.
(usage): Update -Z documentation.
Reported at https://bugzilla.redhat.com/1339135
---
doc/coreutils.texi | 2 +-
src/install.c | 33 -
2 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index 47c63db..36cad87 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -9217,7 +9217,7 @@ Print the name of each file before moving it.
@cindex security context
This option functions similarly to the @command{restorecon} command,
by adjusting the SELinux security context according
-to the system default type for destination files.
+to the system default type for destination files (and each created directory).
@end table
diff --git a/src/install.c b/src/install.c
index 2ff279c..25159c2 100644
--- a/src/install.c
+++ b/src/install.c
@@ -39,6 +39,7 @@
#include "prog-fprintf.h"
#include "quote.h"
#include "savewd.h"
+#include "selinux.h"
#include "stat-time.h"
#include "utimens.h"
#include "xstrtol.h"
@@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options)
static int
make_ancestor (char const *dir, char const *component, void *options)
{
+ struct cp_options const *x = options;
+ if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0
+ && ! ignorable_ctx_err (errno))
+error (0, errno, _("failed to set default creation context for %s"),
+ quoteaf (dir));
+
int r = mkdir (component, DEFAULT_MODE);
if (r == 0)
announce_mkdir (dir, options);
@@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component,
void *options)
static int
process_dir (char *dir, struct savewd *wd, void *options)
{
- return (make_dir_parents (dir, wd,
-make_ancestor, options,
-dir_mode, announce_mkdir,
-dir_mode_bits, owner_id, group_id, false)
+ struct cp_options const *x = options;
+
+ int ret = (make_dir_parents (dir, wd, make_ancestor, options,
+ dir_mode, announce_mkdir,
+ dir_mode_bits, owner_id, group_id, false)
? EXIT_SUCCESS
: EXIT_FAILURE);
+
+ /* FIXME: Due to the current structure of make_dir_parents()
+ we don't have the facility to call defaultcon() before the
+ final component of DIR is created. So for now, create the
+ final component with the context from previous component
+ and here we set the context for the final component. */
+ if (ret == EXIT_SUCCESS && x->set_security_context)
+{
+ if (! restorecon (last_component (dir), false, false)
+ && ! ignorable_ctx_err (errno))
+error (0, errno, _("failed to restore context for %s"),
+ quoteaf (dir));
+}
+
+ return ret;
}
/* Copy file FROM onto file TO, creating TO if necessary.
@@ -651,7 +674,7 @@ In the 4th form, create all components of the given
DIRECTORY(ies).\n\
fputs (_("\
--preserve-context preserve SELinux security context\n\
-Z set SELinux security context of destination\n\
-file to default type\n\
+file (and each created directory) to default
type\n\
--context[=CTX] like -Z, or if CTX is specified then set the\n\
SELinux or SMACK security context to CTX\n\
"), stdout);
--
2.5.5
bug#23866: stty sane behaviour.
On 29/06/16 02:06, Rich Burridge wrote: > On 06/28/2016 05:05 PM, Pádraig Brady wrote: >> On 29/06/16 00:03, Rich Burridge wrote: >>> ... >> Thanks for the detailed analysis. >> It looks like this was already handled and we need to >> expand the conditions where this is done. The current code is: >> >>/* SunOS 5.3 loses (^Z doesn't work) if 'swtch' is the same as 'susp'. >> So the default is to disable 'swtch.' */ >>#if defined __sparc__ && defined __svr4__ >># undef CSWTCH >># define CSWTCH _POSIX_VDISABLE >>#endif >> >> How about we guard this with just: >> >>#ifdef __sun >>#endif > > Assuming you mean: > > --- src/stty.c.orig 2016-06-28 17:48:25.580754994 -0700 > +++ src/stty.c 2016-06-28 17:51:21.725276863 -0700 > @@ -120,7 +120,7 @@ > > /* SunOS 5.3 loses (^Z doesn't work) if 'swtch' is the same as 'susp'. > So the default is to disable 'swtch.' */ > -#if defined __sparc__ && defined __svr4__ > +#if defined __sun > # undef CSWTCH > # define CSWTCH _POSIX_VDISABLE > #endif > > and I'm sure you do, this works great. Cool, pushed at: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v8.25-41-gdfae782 thanks, Pádraig.
