From dcfa38512dd107c2d1674c80a5a14d7eca0d07de Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Wed, 11 May 2022 14:23:45 +0200 Subject: [PATCH] daemon/selinux-relabel: tolerate relabeling errors Option "-C" of setfiles(8) causes setfiles(8) to exit with status 1 rather than status 255 if it encounters relabeling errors, but no other (fatal) error. Pass "-C" to setfiles(8) in "selinux-relabel", because we don't want the "selinux-relabel" API to fail if setfiles(8) only encounters relabeling errors. (NB even without "-C", setfiles(8) continues traversing the directory tree(s) and relabeling files across relabeling errors, so this change is specifically about the exit status.) Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1794518 Signed-off-by: Laszlo Ersek Message-Id: <20220511122345.14208-3-lersek@redhat.com> Reviewed-by: Richard W.M. Jones (cherry picked from commit a39b79f6079c27eb32eecbaf4212bd2eb1be33bb) --- daemon/selinux-relabel.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index a34287fe2..976cffe37 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -59,11 +59,13 @@ do_selinux_relabel (const char *specfile, const char *path, int force) { static int flag_m = -1; + static int flag_C = -1; const char *argv[MAX_ARGS]; CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL, *s_sys = NULL, *s_specfile = NULL, *s_path = NULL; CLEANUP_FREE char *err = NULL; size_t i = 0; + int setfiles_status; s_dev = sysroot_path ("/dev"); if (!s_dev) { @@ -107,6 +109,13 @@ do_selinux_relabel (const char *specfile, const char *path, if (setfiles_has_option (&flag_m, 'm')) ADD_ARG (argv, i, "-m"); + /* Not only do we want setfiles to trudge through individual relabeling + * errors, we also want the setfiles exit status to differentiate a fatal + * error from "relabeling errors only". See RHBZ#1794518. + */ + if (setfiles_has_option (&flag_C, 'C')) + ADD_ARG (argv, i, "-C"); + /* Relabelling in a chroot. */ if (STRNEQ (sysroot, "/")) { ADD_ARG (argv, i, "-r"); @@ -124,10 +133,10 @@ do_selinux_relabel (const char *specfile, const char *path, ADD_ARG (argv, i, s_path); ADD_ARG (argv, i, NULL); - if (commandv (NULL, &err, argv) == -1) { - reply_with_error ("%s", err); - return -1; - } + setfiles_status = commandrv (NULL, &err, argv); + if ((setfiles_status == 0) || (setfiles_status == 1 && flag_C)) + return 0; - return 0; + reply_with_error ("%s", err); + return -1; }