[PATCH 1/2] libselinux/getconlist: report failures

[PATCH 1/2] libselinux/getconlist: report failures

[Christian Göttsche]

Check the given context a priori, to print a more user friendly message,
opposed to a generic following get_ordered_context_list/_with_level
failure.

Notify the user about failures of get_ordered_context_list/_with_level,
so no-context-found and a failure results are distinguishable.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/utils/getconlist.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
index 29c16640..76654b75 100644
--- a/libselinux/utils/getconlist.c
+++ b/libselinux/utils/getconlist.c
@@ -58,8 +58,14 @@ int main(int argc, char **argv)
 			free(level);
 			return 2;
 		}
-	} else
+	} else {
 		cur_context = argv[optind + 1];
+		if (security_check_context(cur_context) != 0) {
+			fprintf(stderr, "Given context '%s' is invalid.\n", cur_context);
+			free(level);
+			return 3;
+		}
+	}
 
 	/* Get the list and print it */
 	if (level)
@@ -72,6 +78,11 @@ int main(int argc, char **argv)
 		for (i = 0; list[i]; i++)
 			puts(list[i]);
 		freeconary(list);
+	} else {
+		fprintf(stderr, "get_ordered_context_list%s failure: %d(%s)\n",
+			level ? "_with_level" : "", errno, strerror(errno));
+		free(level);
+		return 4;
 	}
 
 	free(level);
-- 
2.30.0

[PATCH 2/2] policycoreutils/fixfiles.8: add missing file systems and merge check and verify

[Christian Göttsche]

Mention the supported file systems ext4, gfs2 and btrfs.

The options check and verify are interchangeable, merge their
description.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policycoreutils/scripts/fixfiles.8 | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 12342530..c4e894e5 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -35,8 +35,8 @@ database (extended attributes) on filesystems.
 .P
 It can also be run at any time to relabel when adding support for
 new policy, or  just check whether the file contexts are all
-as you expect.  By default it will relabel all mounted ext2, ext3, xfs and 
-jfs file systems as long as they do not have a security context mount 
+as you expect.  By default it will relabel all mounted ext2, ext3, ext4, gfs2, xfs,
+jfs and btrfs file systems as long as they do not have a security context mount
 option.  You can use the \-R flag to use rpmpackages as an alternative.
 The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
 excluded from relabeling.
@@ -79,7 +79,7 @@ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \
 .SH "ARGUMENTS"
 One of:
 .TP 
-.B check
+.B check | verify
 print any incorrect file context labels, showing old and new context, but do not change them.
 .TP 
 .B restore
@@ -88,9 +88,6 @@ change any incorrect file context labels.
 .B relabel
 Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
 .TP 
-.B verify
-List out files with incorrect file context labels, but do not change them.
-.TP 
 .B [[dir/file] ... ] 
 List of files or directories trees that you wish to check file context on.
 
-- 
2.30.0

Re: [PATCH 2/2] policycoreutils/fixfiles.8: add missing file systems and merge check and verify

[Petr Lautrbach]

Christian Göttsche <cgzones@googlemail.com> writes:

> Mention the supported file systems ext4, gfs2 and btrfs.
>
> The options check and verify are interchangeable, merge their
> description.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: Petr Lautrbach <plautrba@redhat.com>

> ---
>  policycoreutils/scripts/fixfiles.8 | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index 12342530..c4e894e5 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -35,8 +35,8 @@ database (extended attributes) on filesystems.
>  .P
>  It can also be run at any time to relabel when adding support for
>  new policy, or  just check whether the file contexts are all
> -as you expect.  By default it will relabel all mounted ext2, ext3, xfs and 
> -jfs file systems as long as they do not have a security context mount 
> +as you expect.  By default it will relabel all mounted ext2, ext3, ext4, gfs2, xfs,
> +jfs and btrfs file systems as long as they do not have a security context mount
>  option.  You can use the \-R flag to use rpmpackages as an alternative.
>  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
>  excluded from relabeling.
> @@ -79,7 +79,7 @@ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \
>  .SH "ARGUMENTS"
>  One of:
>  .TP 
> -.B check
> +.B check | verify
>  print any incorrect file context labels, showing old and new context, but do not change them.
>  .TP 
>  .B restore
> @@ -88,9 +88,6 @@ change any incorrect file context labels.
>  .B relabel
>  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
>  .TP 
> -.B verify
> -List out files with incorrect file context labels, but do not change them.
> -.TP 
>  .B [[dir/file] ... ] 
>  List of files or directories trees that you wish to check file context on.
>  
> -- 
> 2.30.0

Re: [PATCH 2/2] policycoreutils/fixfiles.8: add missing file systems and merge check and verify

[Petr Lautrbach]

Petr Lautrbach <plautrba@redhat.com> writes:

> Christian Göttsche <cgzones@googlemail.com> writes:
>
>> Mention the supported file systems ext4, gfs2 and btrfs.
>>
>> The options check and verify are interchangeable, merge their
>> description.
>>
>> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>

Merged, thanks!


>> ---
>>  policycoreutils/scripts/fixfiles.8 | 9 +++------
>>  1 file changed, 3 insertions(+), 6 deletions(-)
>>
>> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
>> index 12342530..c4e894e5 100644
>> --- a/policycoreutils/scripts/fixfiles.8
>> +++ b/policycoreutils/scripts/fixfiles.8
>> @@ -35,8 +35,8 @@ database (extended attributes) on filesystems.
>>  .P
>>  It can also be run at any time to relabel when adding support for
>>  new policy, or  just check whether the file contexts are all
>> -as you expect.  By default it will relabel all mounted ext2, ext3, xfs and 
>> -jfs file systems as long as they do not have a security context mount 
>> +as you expect.  By default it will relabel all mounted ext2, ext3, ext4, gfs2, xfs,
>> +jfs and btrfs file systems as long as they do not have a security context mount
>>  option.  You can use the \-R flag to use rpmpackages as an alternative.
>>  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
>>  excluded from relabeling.
>> @@ -79,7 +79,7 @@ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \
>>  .SH "ARGUMENTS"
>>  One of:
>>  .TP 
>> -.B check
>> +.B check | verify
>>  print any incorrect file context labels, showing old and new context, but do not change them.
>>  .TP 
>>  .B restore
>> @@ -88,9 +88,6 @@ change any incorrect file context labels.
>>  .B relabel
>>  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
>>  .TP 
>> -.B verify
>> -List out files with incorrect file context labels, but do not change them.
>> -.TP 
>>  .B [[dir/file] ... ] 
>>  List of files or directories trees that you wish to check file context on.
>>  
>> -- 
>> 2.30.0

Re: [PATCH 1/2] libselinux/getconlist: report failures

[Petr Lautrbach]

Christian Göttsche <cgzones@googlemail.com> writes:

> Check the given context a priori, to print a more user friendly message,
> opposed to a generic following get_ordered_context_list/_with_level
> failure.
>
> Notify the user about failures of get_ordered_context_list/_with_level,
> so no-context-found and a failure results are distinguishable.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libselinux/utils/getconlist.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
> index 29c16640..76654b75 100644
> --- a/libselinux/utils/getconlist.c
> +++ b/libselinux/utils/getconlist.c
> @@ -58,8 +58,14 @@ int main(int argc, char **argv)
>  			free(level);
>  			return 2;
>  		}
> -	} else
> +	} else {
>  		cur_context = argv[optind + 1];
> +		if (security_check_context(cur_context) != 0) {
> +			fprintf(stderr, "Given context '%s' is invalid.\n", cur_context);
> +			free(level);
> +			return 3;

3 is already used for "memory allocation failure: %d(%s)\n" error
But I'm not sure if it's important



> +		}
> +	}
>  
>  	/* Get the list and print it */
>  	if (level)
> @@ -72,6 +78,11 @@ int main(int argc, char **argv)
>  		for (i = 0; list[i]; i++)
>  			puts(list[i]);
>  		freeconary(list);
> +	} else {
> +		fprintf(stderr, "get_ordered_context_list%s failure: %d(%s)\n",
> +			level ? "_with_level" : "", errno, strerror(errno));
> +		free(level);
> +		return 4;
>  	}
>  
>  	free(level);
> -- 
> 2.30.0