[Fwd: restorecon single fs patch]

[Fwd: restorecon single fs patch]

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

Patch to tell restorecon to only do one file system.

-------- Original Message --------
Subject: 	restorecon single fs patch
Date: 	Mon, 02 Apr 2007 14:54:36 -0400
From: 	Jeremy Katz <katzj@redhat.com>
To: 	dwalsh@redhat.com



Attached.  And from a quick test, works quite nicely

Jeremy



[-- Attachment #2: policycoreutils-restorecon-onefsys.patch --]
[-- Type: text/x-patch, Size: 1617 bytes --]

--- policycoreutils-2.0.7/restorecon/restorecon.c.onefs	2007-04-02 14:35:37.000000000 -0400
+++ policycoreutils-2.0.7/restorecon/restorecon.c	2007-04-02 14:48:05.000000000 -0400
@@ -16,6 +16,7 @@
  * -v	Show changes in file labels.  
  * -o	filename save list of files with incorrect context
  * -F	Force reset of context to match file_context for customizable files
+ * -l   Limit directory tree walk to a single filesystem
  *
  * pathname...	The file(s) to label 
  *
@@ -50,6 +51,7 @@
 static int recurse = 0;
 static int file_exist = 1;
 static int force = 0;
+static int onefs = 0;
 #define STAT_BLOCK_SIZE 1
 static int pipe_fds[2] = { -1, -1 };
 static unsigned long long count = 0;
@@ -326,13 +328,15 @@
 			rc = fork();
 		if (rc == 0) {
 			close(pipe_fds[0]);
-			nftw(buf, pre_stat, 1024, FTW_PHYS);
+			nftw(buf, pre_stat, 1024, 
+                             FTW_PHYS | (onefs ? FTW_MOUNT : 0));
 			exit(1);
 		}
 		if (rc > 0)
 			close(pipe_fds[1]);
 		if (rc == -1 || rc > 0) {
-			if (nftw(buf, apply_spec, 1024, FTW_PHYS)) {
+			if (nftw(buf, apply_spec, 1024, 
+                                 FTW_PHYS | (onefs ? FTW_MOUNT : 0))) {
 				if (!file_exist && errno == ENOENT)
 					return;
 				fprintf(stderr,
@@ -367,11 +371,14 @@
 
 	set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
 
-	while ((opt = getopt(argc, argv, "ipFrRnvf:o:e:")) > 0) {
+	while ((opt = getopt(argc, argv, "ipFrRnvfl:o:e:")) > 0) {
 		switch (opt) {
 		case 'n':
 			change = 0;
 			break;
+                case 'l':
+                    onefs = 1;
+                    break;
 		case 'i':
 			file_exist = 0;
 			break;

Re: [Fwd: restorecon single fs patch]

[Stephen Smalley]

On Mon, 2007-04-02 at 14:59 -0400, Daniel J Walsh wrote:
> Patch to tell restorecon to only do one file system.

Observations:
- This is yet another reason to coalesce setfiles and restorecon, as
setfiles already stops on filesystem boundaries.
- Here you introduce -l as meaning "limit to one filesystem" for
restorecon, but -l means log to setfiles and to the fixfiles script
front-end.  Seems prone to user confusion/conflict (think of what
happens if I want to pass this option through fixfiles to restorecon)
and it will get worse when/if we merge setfiles and restorecon together
if we don't fix it now.

How hard would it be to just fold restorecon and setfiles into a single
binary, and have them only differ in the default interfaces and
behaviors they provide (based on their argv[0] value), and try to use a
single standard set of options to the degree we can without breaking
widely used ones?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: restorecon single fs patch]

[Stephen Smalley]

On Mon, 2007-04-02 at 15:15 -0400, Stephen Smalley wrote:
> On Mon, 2007-04-02 at 14:59 -0400, Daniel J Walsh wrote:
> > Patch to tell restorecon to only do one file system.
> 
> Observations:
> - This is yet another reason to coalesce setfiles and restorecon, as
> setfiles already stops on filesystem boundaries.
> - Here you introduce -l as meaning "limit to one filesystem" for
> restorecon, but -l means log to setfiles and to the fixfiles script
> front-end.  Seems prone to user confusion/conflict (think of what
> happens if I want to pass this option through fixfiles to restorecon)
> and it will get worse when/if we merge setfiles and restorecon together
> if we don't fix it now.
> 
> How hard would it be to just fold restorecon and setfiles into a single
> binary, and have them only differ in the default interfaces and
> behaviors they provide (based on their argv[0] value), and try to use a
> single standard set of options to the degree we can without breaking
> widely used ones?

FYI, I have work in progress to collapse all restorecon functionality
into setfiles and make it offer either user interface and default
behavior depending on how it is invoked.

Also, I don't object to having an option to the restorecon user
interface to only do one filesystem, but it should use an option other
than -l since that is already being used by both setfiles and fixfiles
to signify logging.  I'd also like to revisit the current options and
see whether we actually need/want them all - there seem to be multiple
ways of doing the same thing, just with slight variances.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.