Add a new api restorecon to restore file(s) default
SELinux security contexts.
Signed-off-by: Wanlong Gao <gaowanlong at cn.fujitsu.com>
---
daemon/selinux.c | 69 +
generator/actions.ml | 25 +
gobject/Makefile.inc | 6 +-
po/POTFILES | 2 +
src/MAX_PROC_NR | 2 +-
21 files changed, 13282 insertions(+), 28030 deletions(-)
diff --git a/daemon/selinux.c b/daemon/selinux.c
index 40590e1..14bc666 100644
--- a/daemon/selinux.c
+++ b/daemon/selinux.c
@@ -31,6 +31,10 @@
#include "actions.h"
#include "optgroups.h"
+#define MAX_ARGS 128
+
+GUESTFSD_EXT_CMD(str_restorecon, restorecon);
+
#if defined(HAVE_LIBSELINUX)
int
@@ -106,3 +110,68 @@ do_getcon (void)
}
#endif /* !HAVE_LIBSELINUX */
+
+int
+do_restorecon (const char *pathname,
+ const char *excludedir,
+ const char *labelprefix,
+ int recursion,
+ int force)
+{
+ int r;
+ size_t i = 0;
+ char *buf;
+ char *exdir;
+ char *err;
+ const char *argv[MAX_ARGS];
+
+ buf = sysroot_path (pathname);
+ if (!buf) {
+ reply_with_error ("malloc");
+ return -1;
+ }
+
+ ADD_ARG (argv, i, str_restorecon);
+
+ if (optargs_bitmask & GUESTFS_RESTORECON_EXCLUDEDIR_BITMASK) {
+ if (excludedir) {
+ exdir = sysroot_path (excludedir);
+ if (!exdir) {
+ reply_with_error ("malloc");
+ return -1;
+ }
+ ADD_ARG (argv, i, "-e");
+ ADD_ARG (argv, i, exdir);
+ }
+ }
+
+ if (optargs_bitmask & GUESTFS_RESTORECON_LABELPREFIX_BITMASK) {
+ if (labelprefix) {
+ ADD_ARG (argv, i, "-L");
+ ADD_ARG (argv, i, labelprefix);
+ }
+ }
+
+ if (optargs_bitmask & GUESTFS_RESTORECON_RECURSION_BITMASK)
+ if (recursion)
+ ADD_ARG (argv, i, "-R");
+
+ if (optargs_bitmask & GUESTFS_RESTORECON_FORCE_BITMASK)
+ if (force)
+ ADD_ARG (argv, i, "-F");
+
+ ADD_ARG (argv, i, buf);
+ ADD_ARG (argv, i, NULL);
+
+ r = commandv (NULL, &err, argv);
+ free (buf);
+ if (exdir) free (exdir);
+ if (r == -1) {
+ reply_with_error ("%s: %s", pathname, err);
+ free (err);
+ return -1;
+ }
+
+ free (err);
+ return 0;
+}
diff --git a/generator/actions.ml b/generator/actions.ml
index 71aee37..12796a7 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -10241,6 +10241,31 @@ If the optional C<suffix> parameter is given,
then the suffix
See also: C<guestfs_mkdtemp>." };
+ { defaults with
+ name = "restorecon";
+ style = RErr, [Pathname "pathname"], [OString
"excludedir"; OString "labelprefix"; OBool
"recursion"; OBool "force"];
+ proc_nr = Some 374;
+ tests = [
+ InitScratchFS, Always, TestRun (
+ [["mkdir"; "/a"];
+ ["mkdir"; "/a/b"];
+ ["touch"; "/a/b/c"];
+ ["mkdir"; "/a/d"];
+ ["touch"; "/a/d/e"];
+ ["restorecon"; "/a"; "/a/d";
"NOARG"; "true"; "true"]])
+ ];
+ shortdesc = "restore file(s) default SELinux security contexts";
+ longdesc = "\
+This program is primarily used to reset the security context (type)
+(extended attributes) on one or more files.
+
+It can be run at any time to correct errors, to add support for new policy.
+
+If a file object does not have a context, restorecon will write the default
+context to the file object's extended attributes. If a file object has a
+context, C<restorecon> will only modify the type portion of the security
+context. The C<force> option will force a replacement of the entire
context."};
+
]
(* Non-API meta-commands available only in guestfish.
diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc
index 95a4b6b..7451d8e 100644
--- a/gobject/Makefile.inc
+++ b/gobject/Makefile.inc
@@ -82,7 +82,8 @@ guestfs_gobject_headers= \
include/guestfs-gobject/optargs-hivex_open.h \
include/guestfs-gobject/optargs-xfs_repair.h \
include/guestfs-gobject/optargs-mke2fs.h \
- include/guestfs-gobject/optargs-mktemp.h
+ include/guestfs-gobject/optargs-mktemp.h \
+ include/guestfs-gobject/optargs-restorecon.h
guestfs_gobject_sources= \
src/session.c \
@@ -146,4 +147,5 @@ guestfs_gobject_sources= \
src/optargs-hivex_open.c \
src/optargs-xfs_repair.c \
src/optargs-mke2fs.c \
- src/optargs-mktemp.c
+ src/optargs-mktemp.c \
+ src/optargs-restorecon.c
diff --git a/po/POTFILES b/po/POTFILES
index a73377d..5cded4e 100644
--- a/po/POTFILES
+++ b/po/POTFILES
@@ -138,6 +138,7 @@ fish/tilde.c
fish/time.c
format/format.c
fuse/guestmount.c
+gobject/docs/guestfs-scan.c
gobject/src/optargs-add_domain.c
gobject/src/optargs-add_drive.c
gobject/src/optargs-btrfs_filesystem_resize.c
@@ -167,6 +168,7 @@ gobject/src/optargs-mount_local.c
gobject/src/optargs-ntfsclone_out.c
gobject/src/optargs-ntfsfix.c
gobject/src/optargs-ntfsresize.c
+gobject/src/optargs-restorecon.c
gobject/src/optargs-rsync.c
gobject/src/optargs-rsync_in.c
gobject/src/optargs-rsync_out.c
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index a5c3fde..38a45c3 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-373
+374
--
1.8.0
Richard W.M. Jones
2012-Oct-24 08:37 UTC
[Libguestfs] [PATCH] NEW API: add a new api restorecon
On Wed, Oct 24, 2012 at 02:04:47PM +0800, Wanlong Gao wrote:> Add a new api restorecon to restore file(s) default > SELinux security contexts.In general terms, yes. However there are some specific problems with this patch, see below.> Signed-off-by: Wanlong Gao <gaowanlong at cn.fujitsu.com> > --- > daemon/selinux.c | 69 + > generator/actions.ml | 25 + > gobject/Makefile.inc | 6 +- > po/POTFILES | 2 + > src/MAX_PROC_NR | 2 +- > 21 files changed, 13282 insertions(+), 28030 deletions(-) > > diff --git a/daemon/selinux.c b/daemon/selinux.c > index 40590e1..14bc666 100644 > --- a/daemon/selinux.c > +++ b/daemon/selinux.c > @@ -31,6 +31,10 @@ > #include "actions.h" > #include "optgroups.h" > > +#define MAX_ARGS 128 > + > +GUESTFSD_EXT_CMD(str_restorecon, restorecon); > + > #if defined(HAVE_LIBSELINUX) > > int > @@ -106,3 +110,68 @@ do_getcon (void) > } > > #endif /* !HAVE_LIBSELINUX */ > + > +int > +do_restorecon (const char *pathname, > + const char *excludedir, > + const char *labelprefix, > + int recursion, > + int force) > +{ > + int r; > + size_t i = 0; > + char *buf; > + char *exdir; > + char *err; > + const char *argv[MAX_ARGS]; > + > + buf = sysroot_path (pathname); > + if (!buf) { > + reply_with_error ("malloc"); > + return -1; > + } > + > + ADD_ARG (argv, i, str_restorecon); > + > + if (optargs_bitmask & GUESTFS_RESTORECON_EXCLUDEDIR_BITMASK) { > + if (excludedir) { > + exdir = sysroot_path (excludedir); > + if (!exdir) { > + reply_with_error ("malloc"); > + return -1; > + } > + ADD_ARG (argv, i, "-e"); > + ADD_ARG (argv, i, exdir); > + } > + }Note that the -e option can be specified multiple times (see the man page). It's possible to encode this using OStringList. On the other hand that is complicated and I don't mind if you just drop the excludedir optional argument, and we'll wait and see if anyone asks for it.> + if (optargs_bitmask & GUESTFS_RESTORECON_LABELPREFIX_BITMASK) { > + if (labelprefix) { > + ADD_ARG (argv, i, "-L"); > + ADD_ARG (argv, i, labelprefix); > + } > + } > + > + if (optargs_bitmask & GUESTFS_RESTORECON_RECURSION_BITMASK) > + if (recursion) > + ADD_ARG (argv, i, "-R"); > + > + if (optargs_bitmask & GUESTFS_RESTORECON_FORCE_BITMASK) > + if (force) > + ADD_ARG (argv, i, "-F"); > + > + ADD_ARG (argv, i, buf); > + ADD_ARG (argv, i, NULL); > + > + r = commandv (NULL, &err, argv); > + free (buf); > + if (exdir) free (exdir); > + if (r == -1) { > + reply_with_error ("%s: %s", pathname, err); > + free (err); > + return -1; > + } > + > + free (err); > + return 0; > +} > diff --git a/generator/actions.ml b/generator/actions.ml > index 71aee37..12796a7 100644 > --- a/generator/actions.ml > +++ b/generator/actions.ml > @@ -10241,6 +10241,31 @@ If the optional C<suffix> parameter is given, then the suffix > > See also: C<guestfs_mkdtemp>." }; > > + { defaults with > + name = "restorecon"; > + style = RErr, [Pathname "pathname"], [OString "excludedir"; OString "labelprefix"; OBool "recursion"; OBool "force"]; > + proc_nr = Some 374; > + tests = [ > + InitScratchFS, Always, TestRun (This test shouldn't be 'Always'. It should be conditional on having selinux.> + [["mkdir"; "/a"]; > + ["mkdir"; "/a/b"]; > + ["touch"; "/a/b/c"]; > + ["mkdir"; "/a/d"]; > + ["touch"; "/a/d/e"]; > + ["restorecon"; "/a"; "/a/d"; "NOARG"; "true"; "true"]]) > + ]; > + shortdesc = "restore file(s) default SELinux security contexts"; > + longdesc = "\ > +This program is primarily used to reset the security context (type) > +(extended attributes) on one or more files. > + > +It can be run at any time to correct errors, to add support for new policy. > + > +If a file object does not have a context, restorecon will write the default > +context to the file object's extended attributes. If a file object has a > +context, C<restorecon> will only modify the type portion of the security > +context. The C<force> option will force a replacement of the entire context."}; > diff --git a/po/POTFILES b/po/POTFILES > index a73377d..5cded4e 100644 > --- a/po/POTFILES > +++ b/po/POTFILES > @@ -138,6 +138,7 @@ fish/tilde.c > fish/time.c > format/format.c > fuse/guestmount.c > +gobject/docs/guestfs-scan.c > gobject/src/optargs-add_domain.c > gobject/src/optargs-add_drive.c > gobject/src/optargs-btrfs_filesystem_resize.cThis hunk is wrong. I think you've got a rogue file which needs to be deleted. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones New in Fedora 11: Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 70 libraries supprt'd http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
Possibly Parallel Threads
- unzip does not like a / at the end of path.
- installing package from source with Linux
- "R CMD check" accepts but "R CMD INSTALL" rejects a tar ball.
- rJava Installation Problems: 'cannot open compressed file 'rJava/DESCRIPTION', probable reason 'No such file or directory''
- possible internal (un)tar bug