Richard W.M. Jones
2017-Mar-20 18:14 UTC
[Libguestfs] [PATCH] daemon: selinux: Add setfiles -m option to suppress extra excludes (RHBZ#1433577).
---
daemon/selinux-relabel.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c
index 112bee1..2f48ee6 100644
--- a/daemon/selinux-relabel.c
+++ b/daemon/selinux-relabel.c
@@ -27,6 +27,8 @@
#include "actions.h"
#include "optgroups.h"
+#include "ignore-value.h"
+
GUESTFSD_EXT_CMD(str_setfiles, setfiles);
#define MAX_ARGS 64
@@ -37,6 +39,20 @@ optgroup_selinuxrelabel_available (void)
return prog_exists (str_setfiles);
}
+static int
+setfiles_has_m_option (void)
+{
+ static int flag = -1;
+ CLEANUP_FREE char *err = NULL;
+
+ if (flag == -1) {
+ ignore_value (command (NULL, &err, str_setfiles, "-m",
NULL));
+ flag = err && strstr (err, /* "invalid option -- " */
"'m'") == NULL;
+ }
+
+ return flag;
+}
+
/* Takes optional arguments, consult optargs_bitmask. */
int
do_selinux_relabel (const char *specfile, const char *path,
@@ -83,6 +99,13 @@ do_selinux_relabel (const char *specfile, const char *path,
ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_selinux);
ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_sys);
+ /* You have to use the -m option (where available) otherwise
+ * setfiles puts all the mountpoints on the excludes list for no
+ * useful reason (RHBZ#1433577).
+ */
+ if (setfiles_has_m_option ())
+ ADD_ARG (argv, i, "-m");
+
/* Relabelling in a chroot. */
if (STRNEQ (sysroot, "/")) {
ADD_ARG (argv, i, "-r");
--
2.10.2
Pino Toscano
2017-Mar-21 09:57 UTC
Re: [Libguestfs] [PATCH] daemon: selinux: Add setfiles -m option to suppress extra excludes (RHBZ#1433577).
On Monday, 20 March 2017 19:14:46 CET Richard W.M. Jones wrote:> ---Such behaviour changes :-( LGTM, unless the default behaviour of setfiles changes soon... Thanks, -- Pino Toscano
Richard W.M. Jones
2017-Mar-21 14:43 UTC
Re: [Libguestfs] [PATCH] daemon: selinux: Add setfiles -m option to suppress extra excludes (RHBZ#1433577).
On Tue, Mar 21, 2017 at 10:57:47AM +0100, Pino Toscano wrote:> On Monday, 20 March 2017 19:14:46 CET Richard W.M. Jones wrote: > > --- > > Such behaviour changes :-( > > LGTM, unless the default behaviour of setfiles changes soon...Thanks, I'll push this one shortly. We most likely need this one in RHEL 7.4. But not the other (-vv) patch. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Maybe Matching Threads
- [PATCH v2 2/7] New API: setfiles - SELinux relabel parts of the filesystem.
- [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
- [PATCH] daemon: selinux: Add setfiles -vv flags when verbose.
- Re: [PATCH] daemon: selinux: Add setfiles -vv flags when verbose.
- Re: [PATCH] daemon: selinux: Add setfiles -m option to suppress extra excludes (RHBZ#1433577).