Re: [PATCH for-3.5 4/5] selinux_restorecon: introduce SELINUX_RESTORECON_COUNT_ERRORS

[Petr Lautrbach <plautrba@redhat.com>]

Laszlo Ersek <lersek@redhat.com> writes:

> Currently, if the SELINUX_RESTORECON_ABORT_ON_ERROR flag is clear, then
> selinux_restorecon[_parallel]() does not abort the file tree walk upon an
> error, but the function itself fails the same, with the same (-1) return
> value. This in turn is reported by the setfiles(8) utility to its parent
> process with the same exit code (255).
>
> In libguestfs we want to proceed after setfiles(8) fails *at most* with
> such errors that occur during the file tree walk. We need setfiles(8) to
> exit with a distinct exit status in that situation.
>
> For this, introduce the SELINUX_RESTORECON_COUNT_ERRORS flag, and the
> corresponding selinux_restorecon_get_skipped_errors() function, for
> selinux_restorecon[_parallel]() to count, but otherwise ignore, errors
> during the file tree walk. When no other kind of error occurs, the
> relabeling functions will return zero, and the caller can fetch the number
> of errors ignored during the file tree walk with
> selinux_restorecon_get_skipped_errors().
>
> Importantly, when at least one such error is skipped, we don't write
> partial match digests for subdirectories, as any masked error means that
> any subdirectory may not have been completely relabeled.
>
> Cc: "Richard W.M. Jones" <rjones@redhat.com>
> Cc: Petr Lautrbach <plautrba@redhat.com>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1794518
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
[...]
> --- a/libselinux/src/libselinux.map
> +++ b/libselinux/src/libselinux.map
> @@ -245,3 +245,8 @@ LIBSELINUX_3.4 {
>    global:
>      selinux_restorecon_parallel;
>  } LIBSELINUX_1.0;
> +
> +LIBSELINUX_3.5 {

It's still possible to put this into LIBSELINUX_3.4. Next week we will
release 3.4-rc3 and GA of 3.4 is planned two weeks later.


> +  global:
> +    selinux_restorecon_get_skipped_errors;
> +} LIBSELINUX_3.4;
> -- 
> 2.19.1.3.g30247aa5d201