On Mon, 2017-05-01 at 14:21 +0100, Richard Haines wrote: > Remove util/selinux_restorecon.c and tidy up. This is removed as > the functionality is now in policycoreutils/setfiles.
Thanks, applied both. > > Signed-off-by: Richard Haines <[email protected]> > --- > libselinux/utils/.gitignore | 1 - > libselinux/utils/Makefile | 2 - > libselinux/utils/selinux_restorecon.c | 299 ------------------------ > ---------- > 3 files changed, 302 deletions(-) > delete mode 100644 libselinux/utils/selinux_restorecon.c > > diff --git a/libselinux/utils/.gitignore > b/libselinux/utils/.gitignore > index ed3bf0b..b4f9f78 100644 > --- a/libselinux/utils/.gitignore > +++ b/libselinux/utils/.gitignore > @@ -19,7 +19,6 @@ selabel_lookup > selabel_lookup_best_match > selabel_partial_match > selinux_check_securetty_context > -selinux_restorecon > selinuxenabled > selinuxexeccon > setenforce > diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile > index 995f444..5d61031 100644 > --- a/libselinux/utils/Makefile > +++ b/libselinux/utils/Makefile > @@ -59,8 +59,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) > ../src/libselinux.a -lsepol > > sefcontext_compile: sefcontext_compile.o ../src/regex.o > > -selinux_restorecon: LDLIBS += -lsepol > - > all: $(TARGETS) > > install: all > diff --git a/libselinux/utils/selinux_restorecon.c > b/libselinux/utils/selinux_restorecon.c > deleted file mode 100644 > index 4d2b08f..0000000 > --- a/libselinux/utils/selinux_restorecon.c > +++ /dev/null > @@ -1,299 +0,0 @@ > -#include <stdio.h> > -#include <stdlib.h> > -#include <string.h> > -#include <getopt.h> > -#include <errno.h> > -#include <stdbool.h> > -#include <sepol/sepol.h> > -#include <selinux/label.h> > -#include <selinux/restorecon.h> > - > -static char *policyfile; > - > -static char **exclude_list; > -static int exclude_count; > - > -static int validate_context(char **contextp) > -{ > - char *context = *contextp, *tmpcon; > - > - if (policyfile) { > - if (sepol_check_context(context) < 0) { > - fprintf(stderr, "Invalid context %s\n", > context); > - exit(-1); > - } > - } else if (security_canonicalize_context_raw(context, > &tmpcon) == 0) { > - free(context); > - *contextp = tmpcon; > - } else if (errno != ENOENT) { > - fprintf(stderr, "Validate context error: %s\n", > - strerror(errno)) > ; > - exit(-1); > - } > - > - return 0; > -} > - > -static __attribute__ ((__noreturn__)) void usage(const char > *progname) > -{ > - fprintf(stderr, > - "\nusage: %s [-FCnRrdmiIaAsl] [-e dir] [-v|-P]\n" > - "[-x alt_rootpath] [-p policy] [-f specfile] > pathname ...\n" > - "\nWhere:\n\t" > - "-F Set the label to that in specfile.\n\t" > - " If not set then reset the \"type\" component of > the " > - "label to that\n\t in the specfile.\n\t" > - "-C Check labels even if the stored SHA1 digest > matches\n\t" > - " the specfiles SHA1 digest.\n\t" > - "-n Don't change any file labels (passive > check).\n\t" > - "-R Recursively change file and directory > labels.\n\t" > - "-v Show changes in file labels (-v and -P are > mutually " > - " exclusive).\n\t" > - "-P Show progress by printing \"*\" to stdout every > 1000 files" > - ",\n\t unless relabeling entire OS, then show > percentage complete.\n\t" > - "-r Use realpath(3) to convert pathnames to > canonical form.\n\t" > - "-d Prevent descending into directories that have a > " > - "different\n\t device number than the pathname > from which " > - "the descent began.\n\t" > - "-m Do not automatically read /proc/mounts to > determine what\n\t" > - " non-seclabel mounts to exclude from > relabeling.\n\t" > - "-e Exclude this directory (add multiple -e > entries).\n\t" > - "-i Do not set SELABEL_OPT_DIGEST option when > calling " > - " selabel_open(3).\n\t" > - "-I Ignore files that do not exist.\n\t" > - "-a Add an association between an inode and a > context.\n\t" > - " If there is a different context that matched > the inode,\n\t" > - " then use the first context that matched.\n\t" > - "-A Abort on errors during the file tree walk.\n\t" > - "-s Log any label changes to syslog(3).\n\t" > - "-l Log what specfile context matched each > file.\n\t" > - "-x Set alternate rootpath.\n\t" > - "-p Optional binary policy file (also sets validate > context " > - "option).\n\t" > - "-f Optional file contexts file.\n\t" > - "pathname One or more paths to relabel.\n\n", > - progname); > - exit(-1); > -} > - > -static void add_exclude(const char *directory) > -{ > - char **tmp_list; > - > - if (directory == NULL || directory[0] != '/') { > - fprintf(stderr, "Full path required for exclude: > %s.\n", > - directory); > - exit(-1); > - } > - > - /* Add another two entries, one for directory, and the other > to > - * terminate the list */ > - tmp_list = realloc(exclude_list, sizeof(char *) * > (exclude_count + 2)); > - if (!tmp_list) { > - fprintf(stderr, "ERROR: realloc failed.\n"); > - exit(-1); > - } > - exclude_list = tmp_list; > - > - exclude_list[exclude_count] = strdup(directory); > - if (!exclude_list[exclude_count]) { > - fprintf(stderr, "ERROR: strdup failed.\n"); > - exit(-1); > - } > - exclude_count++; > - exclude_list[exclude_count] = NULL; > -} > - > -int main(int argc, char **argv) > -{ > - int opt, i; > - unsigned int restorecon_flags = 0; > - char *path = NULL, *digest = NULL, *validate = NULL; > - char *alt_rootpath = NULL; > - FILE *policystream; > - bool ignore_digest = false, require_selinux = true; > - bool verbose = false, progress = false; > - > - struct selabel_handle *hnd = NULL; > - struct selinux_opt selabel_option[] = { > - { SELABEL_OPT_PATH, path }, > - { SELABEL_OPT_DIGEST, digest }, > - { SELABEL_OPT_VALIDATE, validate } > - }; > - > - if (argc < 2) > - usage(argv[0]); > - > - exclude_list = NULL; > - exclude_count = 0; > - > - while ((opt = getopt(argc, argv, "iIFCnRvPrdaAslme:f:p:x:")) > > 0) { > - switch (opt) { > - case 'F': > - restorecon_flags |= > - SELINUX_RESTORECON_SET_SPECF > ILE_CTX; > - break; > - case 'C': > - restorecon_flags |= > - SELINUX_RESTORECON_IGNORE_DI > GEST; > - break; > - case 'n': > - restorecon_flags |= > SELINUX_RESTORECON_NOCHANGE; > - break; > - case 'R': > - restorecon_flags |= > SELINUX_RESTORECON_RECURSE; > - break; > - case 'v': > - if (progress) { > - fprintf(stderr, > - "Progress and Verbose are > mutually exclusive\n"); > - exit(-1); > - } > - verbose = true; > - restorecon_flags > |= SELINUX_RESTORECON_VERBOSE; > - break; > - case 'P': > - if (verbose) { > - fprintf(stderr, > - "Progress and Verbose are > mutually exclusive\n"); > - exit(-1); > - } > - progress = true; > - restorecon_flags > |= SELINUX_RESTORECON_PROGRESS; > - break; > - case 'r': > - restorecon_flags |= > SELINUX_RESTORECON_REALPATH; > - break; > - case 'd': > - restorecon_flags |= SELINUX_RESTORECON_XDEV; > - break; > - case 'm': > - restorecon_flags |= > SELINUX_RESTORECON_IGNORE_MOUNTS; > - break; > - case 'e': > - add_exclude(optarg); > - break; > - case 'p': > - policyfile = optarg; > - > - policystream = fopen(policyfile, "r"); > - if (!policystream) { > - fprintf(stderr, > - "ERROR: opening %s: %s\n", > - policyfile, > strerror(errno)); > - exit(-1); > - } > - > - if > (sepol_set_policydb_from_file(policystream) < 0) { > - fprintf(stderr, > - "ERROR: reading policy %s: > %s\n", > - policyfile, > strerror(errno)); > - exit(-1); > - } > - fclose(policystream); > - > - selinux_set_callback(SELINUX_CB_VALIDATE, > - (union > selinux_callback)&validate_context); > - require_selinux = false; > - break; > - case 'f': > - path = optarg; > - break; > - case 'i': > - ignore_digest = true; > - break; > - case 'I': > - restorecon_flags |= > SELINUX_RESTORECON_IGNORE_NOENTRY; > - break; > - case 'a': > - restorecon_flags |= > SELINUX_RESTORECON_ADD_ASSOC; > - break; > - case 'A': > - restorecon_flags |= > SELINUX_RESTORECON_ABORT_ON_ERROR; > - break; > - case 's': > - restorecon_flags |= > SELINUX_RESTORECON_SYSLOG_CHANGES; > - break; > - case 'l': > - restorecon_flags |= > SELINUX_RESTORECON_LOG_MATCHES; > - break; > - case 'x': > - alt_rootpath = optarg; > - break; > - default: > - usage(argv[0]); > - } > - } > - > - if (require_selinux && (is_selinux_enabled() <= 0)) { > - fprintf(stderr, > - "SELinux must be enabled to perform this > operation.\n"); > - exit(-1); > - } > - > - if (optind >= argc) { > - fprintf(stderr, "No pathname specified\n"); > - exit(-1); > - } > - > - /* If any of these set then do our own selabel_open and pass > - * handle to selinux_restorecon */ > - if (ignore_digest || path || policyfile) { > - if (path) > - selabel_option[0].value = path; > - else > - selabel_option[0].value = NULL; > - > - if (ignore_digest) > - selabel_option[1].value = NULL; > - else > - selabel_option[1].value = (char *)1; > - > - if (policyfile) /* Validate */ > - selabel_option[2].value = (char *)1; > - else > - selabel_option[2].value = NULL; > - > - hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, > 3); > - if (!hnd) { > - switch (errno) { > - case EOVERFLOW: > - fprintf(stderr, "ERROR: Number of > specfiles or" > - " specfile buffer caused an > overflow.\n"); > - break; > - default: > - fprintf(stderr, "ERROR: > selabel_open: %s\n", > - strerror > (errno)); > - } > - exit(-1); > - } > - selinux_restorecon_set_sehandle(hnd); > - } > - > - if (exclude_list) > - selinux_restorecon_set_exclude_list > - ((const char > **)exclude_list); > - > - if (alt_rootpath) > - selinux_restorecon_set_alt_rootpath(alt_rootpath); > - > - /* Call restorecon for each path in list */ > - for (i = optind; i < argc; i++) { > - if (selinux_restorecon(argv[i], restorecon_flags) < > 0) { > - fprintf(stderr, "ERROR: selinux_restorecon: > %s\n", > - strerror(errno)); > - exit(-1); > - } > - } > - > - if (exclude_list) { > - for (i = 0; exclude_list[i]; i++) > - free(exclude_list[i]); > - free(exclude_list); > - } > - > - if (hnd) > - selabel_close(hnd); > - > - return 0; > -}
