diff --git a/TODO b/TODO index 90f6f68a5..fc20b2a87 100644 --- a/TODO +++ b/TODO @@ -59,12 +59,6 @@ Ideas for extra commands SELinux: chcat - restorecon - [Wanlong Gao submitted patches for restorecon, but - there are problems with using the restorecon binary - from the host on the guest. Most of the time it - would do more harm than good.] - setfiles Oddball: pivot_root diff --git a/appliance/packagelist.in b/appliance/packagelist.in index 5f04c1cac..3a4790b89 100644 --- a/appliance/packagelist.in +++ b/appliance/packagelist.in @@ -43,6 +43,7 @@ ifelse(REDHAT,1, ntfs-3g openssh-clients pcre + policycoreutils reiserfs-utils libselinux syslinux-extlinux diff --git a/daemon/Makefile.am b/daemon/Makefile.am index b77d1e79d..7d823715a 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -168,6 +168,7 @@ guestfsd_SOURCES = \ rsync.c \ scrub.c \ selinux.c \ + selinux-relabel.c \ sfdisk.c \ sh.c \ sleep.c \ diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c new file mode 100644 index 000000000..daafe9ec0 --- /dev/null +++ b/daemon/selinux-relabel.c @@ -0,0 +1,100 @@ +/* libguestfs - the guestfsd daemon + * Copyright (C) 2016 Red Hat Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include + +#include +#include +#include + +#include "guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +GUESTFSD_EXT_CMD(str_setfiles, setfiles); + +#define MAX_ARGS 64 + +int +optgroup_selinuxrelabel_available (void) +{ + return prog_exists (str_setfiles); +} + +/* Takes optional arguments, consult optargs_bitmask. */ +int +do_selinux_relabel (const char *specfile, const char *path, + int force) +{ + const char *argv[MAX_ARGS]; + CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL, + *s_sys = NULL, *s_specfile = NULL, *s_path = NULL; + CLEANUP_FREE char *err = NULL; + size_t i = 0; + + s_dev = sysroot_path ("/dev"); + if (!s_dev) { + malloc_error: + reply_with_perror ("malloc"); + return -1; + } + s_proc = sysroot_path ("/proc"); if (!s_proc) goto malloc_error; + s_selinux = sysroot_path ("/selinux"); if (!s_selinux) goto malloc_error; + s_sys = sysroot_path ("/sys"); if (!s_sys) goto malloc_error; + s_specfile = sysroot_path (specfile); if (!s_specfile) goto malloc_error; + s_path = sysroot_path (path); if (!s_path) goto malloc_error; + + /* Default settings if not selected. */ + if (!(optargs_bitmask & GUESTFS_SELINUX_RELABEL_FORCE_BITMASK)) + force = 0; + + ADD_ARG (argv, i, str_setfiles); + if (force) + ADD_ARG (argv, i, "-F"); + + /* Exclude some directories that should never be relabelled in + * ordinary Linux guests. These won't be mounted anyway. We have + * to prefix all these with the sysroot path. + */ + ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_dev); + ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_proc); + ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_selinux); + ADD_ARG (argv, i, "-e"); ADD_ARG (argv, i, s_sys); + + /* Relabelling in a chroot. */ + if (STRNEQ (sysroot, "/")) { + ADD_ARG (argv, i, "-r"); + ADD_ARG (argv, i, sysroot); + } + + /* Suppress non-error output. */ + ADD_ARG (argv, i, "-q"); + + /* Add parameters. */ + ADD_ARG (argv, i, s_specfile); + ADD_ARG (argv, i, s_path); + ADD_ARG (argv, i, NULL); + + if (commandv (NULL, &err, argv) == -1) { + reply_with_perror ("%s", err); + return -1; + } + + return 0; +} diff --git a/generator/actions.ml b/generator/actions.ml index 25108a2cd..507da9b1b 100644 --- a/generator/actions.ml +++ b/generator/actions.ml @@ -13149,6 +13149,29 @@ fails and the C is set to C." }; shortdesc = "walk through the filesystem content"; longdesc = "Internal function for filesystem_walk." }; + { defaults with + name = "selinux_relabel"; added = (1, 33, 43); + style = RErr, [String "specfile"; Pathname "path"], [OBool "force"]; + proc_nr = Some 467; + optional = Some "selinuxrelabel"; + test_excuse = "tests are in the tests/relabel directory"; + shortdesc = "relabel parts of the filesystem"; + longdesc = "\ +SELinux relabel parts of the filesystem. + +The C parameter controls the policy spec file used. +You have to parse C to find the correct +SELinux policy and then pass the spec file, usually: +C + I + C. + +The required C parameter is the top level directory where +relabelling starts. Normally you should pass C as C +to relabel the whole guest filesystem. + +The optional C boolean controls whether the context +is reset for customizable files, and also whether the +user, role and range parts of the file context is changed." }; + ] (* Non-API meta-commands available only in guestfish. diff --git a/gobject/Makefile.inc b/gobject/Makefile.inc index 77f1614ce..797bb3339 100644 --- a/gobject/Makefile.inc +++ b/gobject/Makefile.inc @@ -98,6 +98,7 @@ guestfs_gobject_headers= \ include/guestfs-gobject/optargs-rsync.h \ include/guestfs-gobject/optargs-rsync_in.h \ include/guestfs-gobject/optargs-rsync_out.h \ + include/guestfs-gobject/optargs-selinux_relabel.h \ include/guestfs-gobject/optargs-set_e2attrs.h \ include/guestfs-gobject/optargs-syslinux.h \ include/guestfs-gobject/optargs-tar_in.h \ @@ -186,6 +187,7 @@ guestfs_gobject_sources= \ src/optargs-rsync.c \ src/optargs-rsync_in.c \ src/optargs-rsync_out.c \ + src/optargs-selinux_relabel.c \ src/optargs-set_e2attrs.c \ src/optargs-syslinux.c \ src/optargs-tar_in.c \ diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR index f27d46f40..5873851d3 100644 --- a/src/MAX_PROC_NR +++ b/src/MAX_PROC_NR @@ -1 +1 @@ -466 +467