6feaf70251
optimalizations(#433189, #433190)
1212 lines
40 KiB
Diff
1212 lines
40 KiB
Diff
diff -urp coreutils-6.10-orig/configure.ac coreutils-6.10/configure.ac
|
|
--- coreutils-6.10-orig/configure.ac 2008-01-25 12:32:33.000000000 +0100
|
|
+++ coreutils-6.10/configure.ac 2008-01-25 14:10:34.000000000 +0100
|
|
@@ -51,6 +51,13 @@ AC_ARG_ENABLE(pam, dnl
|
|
LIB_PAM="-ldl -lpam -lpam_misc"
|
|
AC_SUBST(LIB_PAM)])
|
|
|
|
+dnl Give the chance to enable SELINUX
|
|
+AC_ARG_ENABLE(selinux, dnl
|
|
+[ --enable-selinux Enable use of the SELINUX libraries],
|
|
+[AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELINUX])
|
|
+LIB_SELINUX="-lselinux"
|
|
+AC_SUBST(LIB_SELINUX)])
|
|
+
|
|
AC_FUNC_FORK
|
|
|
|
optional_bin_progs=
|
|
diff -urp coreutils-6.10-orig/man/cp.1 coreutils-6.10/man/cp.1
|
|
--- coreutils-6.10-orig/man/cp.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/cp.1 2008-01-25 14:42:25.000000000 +0100
|
|
@@ -58,7 +58,7 @@ same as \fB\-\-preserve\fR=\fImode\fR,ow
|
|
\fB\-\-preserve\fR[=\fIATTR_LIST\fR]
|
|
preserve the specified attributes (default:
|
|
mode,ownership,timestamps), if possible
|
|
-additional attributes: context, links, all
|
|
+additional attributes: security context, links, all
|
|
.TP
|
|
\fB\-\-no\-preserve\fR=\fIATTR_LIST\fR
|
|
don't preserve the specified attributes
|
|
@@ -102,6 +102,9 @@ explain what is being done
|
|
.TP
|
|
\fB\-x\fR, \fB\-\-one\-file\-system\fR
|
|
stay on this file system
|
|
+\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
|
|
+(SELinux) set SELinux security context of copy to CONTEXT
|
|
+.TP
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/man/dir.1 coreutils-6.10/man/dir.1
|
|
--- coreutils-6.10-orig/man/dir.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/dir.1 2008-01-25 14:46:19.000000000 +0100
|
|
@@ -203,11 +203,24 @@ list entries by lines instead of by colu
|
|
\fB\-X\fR
|
|
sort alphabetically by entry extension
|
|
.TP
|
|
-\fB\-Z\fR, \fB\-\-context\fR
|
|
-print any SELinux security context of each file
|
|
-.TP
|
|
\fB\-1\fR
|
|
list one file per line
|
|
+.PP
|
|
+SELINUX options:
|
|
+.TP
|
|
+\fB\-\-lcontext\fR
|
|
+Display SELinux security context.
|
|
+Enable \fB\-l\fR. Lines will probably be too
|
|
+wide for most displays.
|
|
+.TP
|
|
+\fB\-\-context\fR
|
|
+Display SELinux security context so it fits
|
|
+on most displays. Displays only mode, user,
|
|
+group, security context and file name.
|
|
+.TP
|
|
+\fB\-\-scontext\fR
|
|
+Display only SELinux security context and
|
|
+file name.
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/man/chcon.1 coreutils-6.10/man/chcon.1
|
|
--- coreutils-6.10-orig/man/chcon.1 2008-01-25 12:34:22.000000000 +0100
|
|
+++ coreutils-6.10/man/chcon.1 2008-01-25 14:15:52.000000000 +0100
|
|
@@ -1,7 +1,7 @@
|
|
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.35.
|
|
.TH CHCON "1" "January 2008" "GNU coreutils 6.10" "User Commands"
|
|
.SH NAME
|
|
-chcon \- change file security context
|
|
+chcon \- change file SELinux security context
|
|
.SH SYNOPSIS
|
|
.B chcon
|
|
[\fIOPTION\fR]... \fICONTEXT FILE\fR...
|
|
@@ -14,7 +14,7 @@ chcon \- change file security context
|
|
.SH DESCRIPTION
|
|
.\" Add any additional description here
|
|
.PP
|
|
-Change the security context of each FILE to CONTEXT.
|
|
+Change the SELinux security context of each FILE to CONTEXT.
|
|
With \fB\-\-reference\fR, change the security context of each FILE to that of RFILE.
|
|
.TP
|
|
\fB\-c\fR, \fB\-\-changes\fR
|
|
@@ -74,6 +74,8 @@ License GPLv3+: GNU GPL version 3 or lat
|
|
.br
|
|
This is free software: you are free to change and redistribute it.
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
+.SH "REPORTING BUGS"
|
|
+Report bugs to <https://bugzilla.redhat.com/bugzilla>.
|
|
.SH "SEE ALSO"
|
|
The full documentation for
|
|
.B chcon
|
|
diff -urp coreutils-6.10-orig/man/id.1 coreutils-6.10/man/id.1
|
|
--- coreutils-6.10-orig/man/id.1 2008-01-25 12:34:24.000000000 +0100
|
|
+++ coreutils-6.10/man/id.1 2008-01-25 14:40:22.000000000 +0100
|
|
@@ -14,7 +14,7 @@ Print information for USERNAME, or the c
|
|
ignore, for compatibility with other versions
|
|
.TP
|
|
\fB\-Z\fR, \fB\-\-context\fR
|
|
-print only the security context of the current user
|
|
+print only the SELinux security context of the current user
|
|
.TP
|
|
\fB\-g\fR, \fB\-\-group\fR
|
|
print only the effective group ID
|
|
diff -urp coreutils-6.10-orig/man/install.1 coreutils-6.10/man/install.1
|
|
--- coreutils-6.10-orig/man/install.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/install.1 2008-01-25 14:32:47.000000000 +0100
|
|
@@ -68,11 +68,11 @@ treat DEST as a normal file
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
print the name of each directory as it is created
|
|
.TP
|
|
-\fB\-\-preserve\-context\fR
|
|
-preserve SELinux security context
|
|
+\fB\-P\fR, \fB\-\-preserve_context\fR \fB\-\-preserve\-context\fR
|
|
+(SELinux) preserve SELinux security context
|
|
.TP
|
|
\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
|
|
-set SELinux security context of files and directories
|
|
+(SELinux) set SELinux security context of files and directories
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/man/ls.1 coreutils-6.10/man/ls.1
|
|
--- coreutils-6.10-orig/man/ls.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/ls.1 2008-01-25 14:39:10.000000000 +0100
|
|
@@ -203,11 +203,24 @@ list entries by lines instead of by colu
|
|
\fB\-X\fR
|
|
sort alphabetically by entry extension
|
|
.TP
|
|
-\fB\-Z\fR, \fB\-\-context\fR
|
|
-print any SELinux security context of each file
|
|
-.TP
|
|
\fB\-1\fR
|
|
list one file per line
|
|
+.PP
|
|
+SELinux options:
|
|
+.TP
|
|
+\fB\-\-lcontext\fR
|
|
+Display SELinux security context.
|
|
+Enable \fB\-l\fR. Lines will probably be too
|
|
+wide for most displays.
|
|
+.TP
|
|
+\fB\-Z\fR, \fB\-\-context\fR
|
|
+Display SELinux security context so it fits
|
|
+on most displays. Displays only mode, user,
|
|
+group, security context and file name.
|
|
+.TP
|
|
+\fB\-\-scontext\fR
|
|
+Display only SELinux security context and
|
|
+file name.
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/man/mkdir.1 coreutils-6.10/man/mkdir.1
|
|
--- coreutils-6.10-orig/man/mkdir.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/mkdir.1 2008-01-25 14:36:44.000000000 +0100
|
|
@@ -21,9 +21,9 @@ no error if existing, make parent direct
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
print a message for each created directory
|
|
.TP
|
|
-\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR
|
|
-set the SELinux security context of each created
|
|
-directory to CTX
|
|
+\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
|
|
+(SELinux) set the SELinux security context of each
|
|
+created directory to CONTEXT
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/man/mkfifo.1 coreutils-6.10/man/mkfifo.1
|
|
--- coreutils-6.10-orig/man/mkfifo.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/mkfifo.1 2008-01-25 14:43:27.000000000 +0100
|
|
@@ -10,8 +10,8 @@ mkfifo \- make FIFOs (named pipes)
|
|
.PP
|
|
Create named pipes (FIFOs) with the given NAMEs.
|
|
.TP
|
|
-\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR
|
|
-set the SELinux security context of each NAME to CTX
|
|
+\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
|
|
+set the SELinux security context of each NAME to CONTEXT(quoted string)
|
|
.PP
|
|
Mandatory arguments to long options are mandatory for short options too.
|
|
.TP
|
|
diff -urp coreutils-6.10-orig/man/mknod.1 coreutils-6.10/man/mknod.1
|
|
--- coreutils-6.10-orig/man/mknod.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/mknod.1 2008-01-25 14:39:49.000000000 +0100
|
|
@@ -10,8 +10,8 @@ mknod \- make block or character special
|
|
.PP
|
|
Create the special file NAME of the given TYPE.
|
|
.TP
|
|
-\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR
|
|
-set the SELinux security context of NAME to CTX
|
|
+\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
|
|
+set the SELinux security context of NAME to CONTEXT
|
|
.PP
|
|
Mandatory arguments to long options are mandatory for short options too.
|
|
.TP
|
|
diff -urp coreutils-6.10-orig/man/stat.1 coreutils-6.10/man/stat.1
|
|
--- coreutils-6.10-orig/man/stat.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/stat.1 2008-01-25 14:11:23.000000000 +0100
|
|
@@ -28,6 +28,9 @@ If you want a newline, include \en in FO
|
|
\fB\-t\fR, \fB\-\-terse\fR
|
|
print the information in terse form
|
|
.TP
|
|
+\fB\-Z\fR, \fB\-\-context\fR
|
|
+print security context information for SELinux if available.
|
|
+.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
.TP
|
|
diff -urp coreutils-6.10-orig/man/vdir.1 coreutils-6.10/man/vdir.1
|
|
--- coreutils-6.10-orig/man/vdir.1 2008-01-25 12:34:23.000000000 +0100
|
|
+++ coreutils-6.10/man/vdir.1 2008-01-25 14:35:10.000000000 +0100
|
|
@@ -208,6 +208,20 @@ print any SELinux security context of ea
|
|
.TP
|
|
\fB\-1\fR
|
|
list one file per line
|
|
+.PP
|
|
+SELINUX options:
|
|
+.TP
|
|
+\fB\-\-lcontext\fR
|
|
+Display SELinux security context. Enable \fB\-l\fR.
|
|
+Lines will probably be too wide for most displays.
|
|
+.TP
|
|
+\fB\-\-context\fR
|
|
+Display SELinux security context so it fits
|
|
+on most displays. Displays only mode, user,
|
|
+group, SELinux security context and file name.
|
|
+.TP
|
|
+\fB\-\-scontext\fR
|
|
+Display only SELinux security context and file name.
|
|
.TP
|
|
\fB\-\-help\fR
|
|
display this help and exit
|
|
diff -urp coreutils-6.10-orig/src/copy.c coreutils-6.10/src/copy.c
|
|
--- coreutils-6.10-orig/src/copy.c 2008-01-05 23:59:11.000000000 +0100
|
|
+++ coreutils-6.10/src/copy.c 2008-01-25 17:23:17.000000000 +0100
|
|
@@ -371,9 +371,10 @@ copy_reg (char const *src_name, char con
|
|
security_context_t con = NULL;
|
|
if (getfscreatecon (&con) < 0)
|
|
{
|
|
- error (0, errno, _("failed to get file system create context"));
|
|
+ //do not show error when we not require security context (-a option)
|
|
if (x->require_preserve_context)
|
|
{
|
|
+ error (0, errno, _("failed to get file system create context"));
|
|
return_val = false;
|
|
goto close_src_and_dst_desc;
|
|
}
|
|
@@ -383,11 +384,12 @@ copy_reg (char const *src_name, char con
|
|
{
|
|
if (fsetfilecon (dest_desc, con) < 0)
|
|
{
|
|
- error (0, errno,
|
|
- _("failed to set the security context of %s to %s"),
|
|
- quote_n (0, dst_name), quote_n (1, con));
|
|
+ //do not show error when we not require security context (-a option)
|
|
if (x->require_preserve_context)
|
|
{
|
|
+ error (0, errno,
|
|
+ _("failed to set the security context of %s to %s"),
|
|
+ quote_n (0, dst_name), quote_n (1, con));
|
|
return_val = false;
|
|
freecon (con);
|
|
goto close_src_and_dst_desc;
|
|
@@ -1630,11 +1632,12 @@ copy_internal (char const *src_name, cha
|
|
{
|
|
if (setfscreatecon (con) < 0)
|
|
{
|
|
- error (0, errno,
|
|
- _("failed to set default file creation context to %s"),
|
|
- quote (con));
|
|
+ //do not show error when we not require security context (-a option)
|
|
if (x->require_preserve_context)
|
|
{
|
|
+ error (0, errno,
|
|
+ _("failed to set default file creation context to %s"),
|
|
+ quote (con));
|
|
freecon (con);
|
|
return false;
|
|
}
|
|
@@ -1644,12 +1647,14 @@ copy_internal (char const *src_name, cha
|
|
else
|
|
{
|
|
if (errno != ENOTSUP && errno != ENODATA)
|
|
- {
|
|
- error (0, errno,
|
|
- _("failed to get security context of %s"),
|
|
- quote (src_name));
|
|
- if (x->require_preserve_context)
|
|
- return false;
|
|
+ {
|
|
+ //do not show error when we not require security context (-a option)
|
|
+ if (x->require_preserve_context) {
|
|
+ error (0, errno,
|
|
+ _("failed to get security context of %s"),
|
|
+ quote (src_name));
|
|
+ return false;
|
|
+ }
|
|
}
|
|
}
|
|
}
|
|
@@ -1735,6 +1740,8 @@ copy_internal (char const *src_name, cha
|
|
{
|
|
/* Here, we are crossing a file system boundary and cp's -x option
|
|
is in effect: so don't copy the contents of this directory. */
|
|
+ if (x->preserve_security_context)
|
|
+ restore_default_fscreatecon_or_die ();
|
|
}
|
|
else
|
|
{
|
|
diff -urp coreutils-6.10-orig/src/copy.h coreutils-6.10/src/copy.h
|
|
--- coreutils-6.10-orig/src/copy.h 2008-01-05 23:58:25.000000000 +0100
|
|
+++ coreutils-6.10/src/copy.h 2008-01-25 16:29:21.000000000 +0100
|
|
@@ -141,6 +141,9 @@ struct cp_options
|
|
bool preserve_mode;
|
|
bool preserve_timestamps;
|
|
|
|
+ /* If true, attempt to set specified security context */
|
|
+ bool set_security_context;
|
|
+
|
|
/* Enabled for mv, and for cp by the --preserve=links option.
|
|
If true, attempt to preserve in the destination files any
|
|
logical hard links between the source files. If used with cp's
|
|
diff -urp coreutils-6.10-orig/src/cp.c coreutils-6.10/src/cp.c
|
|
--- coreutils-6.10-orig/src/cp.c 2008-01-11 12:19:53.000000000 +0100
|
|
+++ coreutils-6.10/src/cp.c 2008-01-25 16:26:22.000000000 +0100
|
|
@@ -147,6 +147,7 @@ static struct option const long_opts[] =
|
|
{"target-directory", required_argument, NULL, 't'},
|
|
{"update", no_argument, NULL, 'u'},
|
|
{"verbose", no_argument, NULL, 'v'},
|
|
+ {"context", required_argument, NULL, 'Z'},
|
|
{GETOPT_HELP_OPTION_DECL},
|
|
{GETOPT_VERSION_OPTION_DECL},
|
|
{NULL, 0, NULL, 0}
|
|
@@ -200,6 +201,9 @@ Mandatory arguments to long options are
|
|
additional attributes: context, links, all\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
+ -c same as --preserve=context\n\
|
|
+"), stdout);
|
|
+ fputs (_("\
|
|
--no-preserve=ATTR_LIST don't preserve the specified attributes\n\
|
|
--parents use full source file name under DIRECTORY\n\
|
|
"), stdout);
|
|
@@ -225,6 +229,7 @@ Mandatory arguments to long options are
|
|
destination file is missing\n\
|
|
-v, --verbose explain what is being done\n\
|
|
-x, --one-file-system stay on this file system\n\
|
|
+ -Z, --context=CONTEXT set security context of copy to CONTEXT\n\
|
|
"), stdout);
|
|
fputs (HELP_OPTION_DESCRIPTION, stdout);
|
|
fputs (VERSION_OPTION_DESCRIPTION, stdout);
|
|
@@ -774,6 +779,7 @@ cp_option_init (struct cp_options *x)
|
|
x->preserve_timestamps = false;
|
|
x->preserve_security_context = false;
|
|
x->require_preserve_context = false;
|
|
+ x->set_security_context = false;
|
|
|
|
x->require_preserve = false;
|
|
x->recursive = false;
|
|
@@ -867,8 +873,10 @@ decode_preserve_arg (char const *arg, st
|
|
x->preserve_timestamps = on_off;
|
|
x->preserve_ownership = on_off;
|
|
x->preserve_links = on_off;
|
|
- if (selinux_enabled)
|
|
+ if (selinux_enabled) {
|
|
x->preserve_security_context = on_off;
|
|
+ x->require_preserve_context = on_off;
|
|
+ }
|
|
break;
|
|
|
|
default:
|
|
@@ -909,7 +917,7 @@ main (int argc, char **argv)
|
|
we'll actually use backup_suffix_string. */
|
|
backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
|
|
|
|
- while ((c = getopt_long (argc, argv, "abdfHilLprst:uvxPRS:T",
|
|
+ while ((c = getopt_long (argc, argv, "abcdfHilLprst:uvxPRS:TZ",
|
|
long_opts, NULL))
|
|
!= -1)
|
|
{
|
|
@@ -920,13 +928,15 @@ main (int argc, char **argv)
|
|
sparse_type_string, sparse_type);
|
|
break;
|
|
|
|
- case 'a': /* Like -dpPR. */
|
|
+ case 'a': /* Like -dpPRc. */
|
|
x.dereference = DEREF_NEVER;
|
|
x.preserve_links = true;
|
|
x.preserve_ownership = true;
|
|
x.preserve_mode = true;
|
|
x.preserve_timestamps = true;
|
|
- x.require_preserve = true;
|
|
+ x.require_preserve = true;
|
|
+ if (selinux_enabled)
|
|
+ x.preserve_security_context = true;
|
|
x.recursive = true;
|
|
break;
|
|
|
|
@@ -940,6 +950,16 @@ main (int argc, char **argv)
|
|
copy_contents = true;
|
|
break;
|
|
|
|
+ case 'c':
|
|
+ if ( x.set_security_context ) {
|
|
+ (void) fprintf(stderr, "%s: cannot force target context and preserve it\n", argv[0]);
|
|
+ exit( 1 );
|
|
+ }
|
|
+ else if (selinux_enabled) {
|
|
+ x.preserve_security_context = true;
|
|
+ x.require_preserve_context = true;
|
|
+ }
|
|
+ break;
|
|
case 'd':
|
|
x.preserve_links = true;
|
|
x.dereference = DEREF_NEVER;
|
|
@@ -1052,6 +1072,27 @@ main (int argc, char **argv)
|
|
x.one_file_system = true;
|
|
break;
|
|
|
|
+
|
|
+ case 'Z':
|
|
+ /* politely decline if we're not on a selinux-enabled kernel. */
|
|
+ if( !selinux_enabled ) {
|
|
+ fprintf( stderr, "Warning: ignoring --context (-Z). "
|
|
+ "It requires a SELinux enabled kernel.\n" );
|
|
+ break;
|
|
+ }
|
|
+ if ( x.preserve_security_context ) {
|
|
+ (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], optarg);
|
|
+ exit( 1 );
|
|
+ }
|
|
+ x.set_security_context = true;
|
|
+ /* if there's a security_context given set new path
|
|
+ components to that context, too */
|
|
+ if ( setfscreatecon(optarg) < 0 ) {
|
|
+ (void) fprintf(stderr, _("cannot set default security context %s\n"), optarg);
|
|
+ exit( 1 );
|
|
+ }
|
|
+ break;
|
|
+
|
|
case 'S':
|
|
make_backups = true;
|
|
backup_suffix_string = optarg;
|
|
diff -urp coreutils-6.10-orig/src/id.c coreutils-6.10/src/id.c
|
|
--- coreutils-6.10-orig/src/id.c 2008-01-05 23:59:11.000000000 +0100
|
|
+++ coreutils-6.10/src/id.c 2008-01-25 17:13:53.000000000 +0100
|
|
@@ -110,7 +110,7 @@ int
|
|
main (int argc, char **argv)
|
|
{
|
|
int optc;
|
|
- int selinux_enabled = (is_selinux_enabled () > 0);
|
|
+ bool selinux_enabled = (is_selinux_enabled () > 0);
|
|
|
|
/* If true, output the list of all group IDs. -G */
|
|
bool just_group_list = false;
|
|
diff -urp coreutils-6.10-orig/src/install.c coreutils-6.10/src/install.c
|
|
--- coreutils-6.10-orig/src/install.c 2008-01-05 23:59:11.000000000 +0100
|
|
+++ coreutils-6.10/src/install.c 2008-01-25 17:32:42.000000000 +0100
|
|
|
|
@@ -146,11 +146,11 @@ static struct option const long_options[
|
|
{"no-target-directory", no_argument, NULL, 'T'},
|
|
{"owner", required_argument, NULL, 'o'},
|
|
{"preserve-timestamps", no_argument, NULL, 'p'},
|
|
- {"preserve-context", no_argument, NULL, PRESERVE_CONTEXT_OPTION},
|
|
+ {"preserve-context", no_argument, NULL, 'P'},
|
|
/* Continue silent support for --preserve_context until Jan 2008. FIXME-obs
|
|
After that, FIXME-obs: warn in, say, late 2008, and disable altogether
|
|
a year or two later. */
|
|
- {"preserve_context", no_argument, NULL, PRESERVE_CONTEXT_OPTION},
|
|
+ {"preserve_context", no_argument, NULL, 'P'},
|
|
{"strip", no_argument, NULL, 's'},
|
|
{"suffix", required_argument, NULL, 'S'},
|
|
{"target-directory", required_argument, NULL, 't'},
|
|
@@ -178,6 +178,7 @@ cp_option_init (struct cp_options *x)
|
|
x->preserve_timestamps = false;
|
|
x->require_preserve = false;
|
|
x->require_preserve_context = false;
|
|
+ x->set_security_context = false;
|
|
x->recursive = false;
|
|
x->sparse_mode = SPARSE_AUTO;
|
|
x->symbolic_link = false;
|
|
@@ -199,7 +199,6 @@ cp_option_init (struct cp_options *x)
|
|
x->src_info = NULL;
|
|
}
|
|
|
|
-#ifdef ENABLE_WHEN_MATCHPATHCON_IS_MORE_EFFICIENT
|
|
/* Modify file context to match the specified policy.
|
|
If an error occurs the file will remain with the default directory
|
|
context. */
|
|
@@ -266,13 +265,6 @@ setdefaultfilecon (char const *file)
|
|
freecon (scontext);
|
|
return;
|
|
}
|
|
-#else
|
|
-static void
|
|
-setdefaultfilecon (char const *file)
|
|
-{
|
|
- (void) file;
|
|
-}
|
|
-#endif
|
|
|
|
/* FILE is the last operand of this command. Return true if FILE is a
|
|
directory. But report an error there is a problem accessing FILE,
|
|
@@ -346,7 +338,7 @@ main (int argc, char **argv)
|
|
we'll actually use backup_suffix_string. */
|
|
backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
|
|
|
|
- while ((optc = getopt_long (argc, argv, "bcsDdg:m:o:pt:TvS:Z:", long_options,
|
|
+ while ((optc = getopt_long (argc, argv, "bcsDdg:m:o:pPt:TvS:Z:", long_options,
|
|
NULL)) != -1)
|
|
{
|
|
switch (optc)
|
|
@@ -408,6 +409,7 @@ main (int argc, char **argv)
|
|
no_target_directory = true;
|
|
break;
|
|
|
|
+ case 'P':
|
|
case PRESERVE_CONTEXT_OPTION:
|
|
if ( ! selinux_enabled)
|
|
{
|
|
@@ -415,6 +417,10 @@ main (int argc, char **argv)
|
|
"this kernel is not SELinux-enabled."));
|
|
break;
|
|
}
|
|
+ if ( x.set_security_context ) {
|
|
+ (void) fprintf(stderr, "%s: cannot force target context and preserve it\n", argv[0]);
|
|
+ exit( 1 );
|
|
+ }
|
|
x.preserve_security_context = true;
|
|
use_default_selinux_context = false;
|
|
break;
|
|
@@ -432,6 +432,7 @@ main (int argc, char **argv)
|
|
break;
|
|
}
|
|
scontext = optarg;
|
|
+ x.set_security_context = true;
|
|
use_default_selinux_context = false;
|
|
break;
|
|
case_GETOPT_HELP_CHAR;
|
|
@@ -825,8 +831,8 @@ Mandatory arguments to long options are
|
|
-v, --verbose print the name of each directory as it is created\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
- --preserve-context preserve SELinux security context\n\
|
|
- -Z, --context=CONTEXT set SELinux security context of files and directories\n\
|
|
+ -P, --preserve-context (SELinux) preserve security context\n\
|
|
+ -Z, --context=CONTEXT (SELinux) set security context of files and directories\n\
|
|
"), stdout);
|
|
|
|
fputs (HELP_OPTION_DESCRIPTION, stdout);
|
|
diff -urp coreutils-6.10-orig/src/ls.c coreutils-6.10/src/ls.c
|
|
--- coreutils-6.10-orig/src/ls.c 2008-01-11 11:34:22.000000000 +0100
|
|
+++ coreutils-6.10/src/ls.c 2008-01-25 15:34:49.000000000 +0100
|
|
@@ -134,7 +134,8 @@ enum filetype
|
|
symbolic_link,
|
|
sock,
|
|
whiteout,
|
|
- arg_directory
|
|
+ arg_directory,
|
|
+ command_line
|
|
};
|
|
|
|
/* Display letters and indicators for each filetype.
|
|
@@ -177,8 +178,9 @@ struct fileinfo
|
|
exists, otherwise false. */
|
|
bool linkok;
|
|
|
|
- /* For long listings, true if the file has an access control list,
|
|
- or an SELinux security context. */
|
|
+ /* For long listings, true if the file has an access control list.
|
|
+ Unlike with upstream not true for SELinux scontext(#430779) as
|
|
+ this removes possibility to detect ACL via ls */
|
|
bool have_acl;
|
|
};
|
|
|
|
@@ -241,6 +242,7 @@ static void queue_directory (char const
|
|
static void sort_files (void);
|
|
static void parse_ls_color (void);
|
|
void usage (int status);
|
|
+static void print_scontext_format (const struct fileinfo *f);
|
|
|
|
/* The name this program was run with. */
|
|
char *program_name;
|
|
@@ -314,7 +316,7 @@ static struct pending *pending_dirs;
|
|
static time_t current_time = TYPE_MINIMUM (time_t);
|
|
static int current_time_ns = -1;
|
|
|
|
-static bool print_scontext;
|
|
+static int print_scontext = 0;
|
|
static char UNKNOWN_SECURITY_CONTEXT[] = "?";
|
|
|
|
/* Whether any of the files has an ACL. This affects the width of the
|
|
@@ -354,7 +356,9 @@ enum format
|
|
one_per_line, /* -1 */
|
|
many_per_line, /* -C */
|
|
horizontal, /* -x */
|
|
- with_commas /* -m */
|
|
+ with_commas, /* -m */
|
|
+ security_format, /* -Z */
|
|
+ invalid_format
|
|
};
|
|
|
|
static enum format format;
|
|
@@ -731,6 +735,9 @@ enum
|
|
SHOW_CONTROL_CHARS_OPTION,
|
|
SI_OPTION,
|
|
SORT_OPTION,
|
|
+ CONTEXT_OPTION,
|
|
+ LCONTEXT_OPTION,
|
|
+ SCONTEXT_OPTION,
|
|
TIME_OPTION,
|
|
TIME_STYLE_OPTION
|
|
};
|
|
@@ -776,7 +783,9 @@ static struct option const long_options[
|
|
{"time-style", required_argument, NULL, TIME_STYLE_OPTION},
|
|
{"color", optional_argument, NULL, COLOR_OPTION},
|
|
{"block-size", required_argument, NULL, BLOCK_SIZE_OPTION},
|
|
- {"context", no_argument, 0, 'Z'},
|
|
+ {"context", no_argument, 0, CONTEXT_OPTION},
|
|
+ {"lcontext", no_argument, 0, LCONTEXT_OPTION},
|
|
+ {"scontext", no_argument, 0, SCONTEXT_OPTION},
|
|
{"author", no_argument, NULL, AUTHOR_OPTION},
|
|
{GETOPT_HELP_OPTION_DECL},
|
|
{GETOPT_VERSION_OPTION_DECL},
|
|
@@ -786,12 +795,12 @@ static struct option const long_options[
|
|
static char const *const format_args[] =
|
|
{
|
|
"verbose", "long", "commas", "horizontal", "across",
|
|
- "vertical", "single-column", NULL
|
|
+ "vertical", "single-column", "context", NULL
|
|
};
|
|
static enum format const format_types[] =
|
|
{
|
|
long_format, long_format, with_commas, horizontal, horizontal,
|
|
- many_per_line, one_per_line
|
|
+ many_per_line, one_per_line, security_format
|
|
};
|
|
ARGMATCH_VERIFY (format_args, format_types);
|
|
|
|
@@ -1236,7 +1245,7 @@ main (int argc, char **argv)
|
|
|
|
format_needs_stat = sort_type == sort_time || sort_type == sort_size
|
|
|| format == long_format
|
|
- || print_scontext
|
|
+ || format == security_format || print_scontext
|
|
|| print_block_size;
|
|
format_needs_type = (! format_needs_stat
|
|
&& (recursive
|
|
@@ -1267,7 +1276,7 @@ main (int argc, char **argv)
|
|
}
|
|
else
|
|
do
|
|
- gobble_file (argv[i++], unknown, NOT_AN_INODE_NUMBER, true, "");
|
|
+ gobble_file (argv[i++], command_line, NOT_AN_INODE_NUMBER, true, "");
|
|
while (i < argc);
|
|
|
|
if (cwd_n_used)
|
|
@@ -1429,7 +1438,7 @@ decode_switches (int argc, char **argv)
|
|
ignore_mode = IGNORE_DEFAULT;
|
|
ignore_patterns = NULL;
|
|
hide_patterns = NULL;
|
|
- print_scontext = false;
|
|
+ print_scontext = 0;
|
|
|
|
/* FIXME: put this in a function. */
|
|
{
|
|
@@ -1811,13 +1820,27 @@ decode_switches (int argc, char **argv)
|
|
break;
|
|
|
|
case 'Z':
|
|
- print_scontext = true;
|
|
+ print_scontext = 1;
|
|
+ format = security_format;
|
|
break;
|
|
|
|
case_GETOPT_HELP_CHAR;
|
|
|
|
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
|
|
|
|
+ case CONTEXT_OPTION: /* default security context format */
|
|
+ print_scontext = 1;
|
|
+ format = security_format;
|
|
+ break;
|
|
+ case LCONTEXT_OPTION: /* long format plus security context */
|
|
+ print_scontext = 1;
|
|
+ format = long_format;
|
|
+ break;
|
|
+ case SCONTEXT_OPTION: /* short form of new security format */
|
|
+ print_scontext = 0;
|
|
+ format = security_format;
|
|
+ break;
|
|
+
|
|
default:
|
|
usage (LS_FAILURE);
|
|
}
|
|
@@ -2517,8 +2540,10 @@ clear_files (void)
|
|
struct fileinfo *f = sorted_file[i];
|
|
free (f->name);
|
|
free (f->linkname);
|
|
- if (f->scontext != UNKNOWN_SECURITY_CONTEXT)
|
|
- freecon (f->scontext);
|
|
+ if (f->scontext != UNKNOWN_SECURITY_CONTEXT) {
|
|
+ freecon (f->scontext);
|
|
+ f->scontext = NULL;
|
|
+ }
|
|
}
|
|
|
|
cwd_n_used = 0;
|
|
@@ -2560,6 +2585,7 @@ gobble_file (char const *name, enum file
|
|
memset (f, '\0', sizeof *f);
|
|
f->stat.st_ino = inode;
|
|
f->filetype = type;
|
|
+ f->scontext = NULL;
|
|
|
|
if (command_line_arg
|
|
|| format_needs_stat
|
|
@@ -2609,7 +2635,7 @@ gobble_file (char const *name, enum file
|
|
{
|
|
case DEREF_ALWAYS:
|
|
err = stat (absolute_name, &f->stat);
|
|
- do_deref = true;
|
|
+ do_deref = true;
|
|
break;
|
|
|
|
case DEREF_COMMAND_LINE_ARGUMENTS:
|
|
@@ -2618,7 +2644,7 @@ gobble_file (char const *name, enum file
|
|
{
|
|
bool need_lstat;
|
|
err = stat (absolute_name, &f->stat);
|
|
- do_deref = true;
|
|
+ do_deref = true;
|
|
|
|
if (dereference == DEREF_COMMAND_LINE_ARGUMENTS)
|
|
break;
|
|
@@ -2637,7 +2663,7 @@ gobble_file (char const *name, enum file
|
|
|
|
default: /* DEREF_NEVER */
|
|
err = lstat (absolute_name, &f->stat);
|
|
- do_deref = false;
|
|
+ do_deref = false;
|
|
break;
|
|
}
|
|
|
|
@@ -2659,7 +2685,7 @@ gobble_file (char const *name, enum file
|
|
|
|
f->stat_ok = true;
|
|
|
|
- if (format == long_format || print_scontext)
|
|
+ if (format == long_format || format == security_format)
|
|
{
|
|
bool have_acl = false;
|
|
int attr_len = (do_deref
|
|
@@ -2667,9 +2694,7 @@ gobble_file (char const *name, enum file
|
|
: lgetfilecon (absolute_name, &f->scontext));
|
|
err = (attr_len < 0);
|
|
|
|
- if (err == 0)
|
|
- have_acl = ! STREQ ("unlabeled", f->scontext);
|
|
- else
|
|
+ if (err != 0)
|
|
{
|
|
f->scontext = UNKNOWN_SECURITY_CONTEXT;
|
|
|
|
@@ -2681,7 +2706,7 @@ gobble_file (char const *name, enum file
|
|
err = 0;
|
|
}
|
|
|
|
- if (err == 0 && ! have_acl && format == long_format)
|
|
+ if (err == 0 && format == long_format)
|
|
{
|
|
int n = file_has_acl (absolute_name, &f->stat);
|
|
err = (n < 0);
|
|
@@ -3255,6 +3281,13 @@ print_current_files (void)
|
|
print_long_format (sorted_file[i]);
|
|
DIRED_PUTCHAR ('\n');
|
|
}
|
|
+ break;
|
|
+ case security_format:
|
|
+ for (i = 0; i < cwd_n_used; i++)
|
|
+ {
|
|
+ print_scontext_format (sorted_file[i]);
|
|
+ DIRED_PUTCHAR ('\n');
|
|
+ }
|
|
break;
|
|
}
|
|
}
|
|
@@ -3481,7 +3514,7 @@ print_long_format (const struct fileinfo
|
|
The latter is wrong when inode_number_width is zero. */
|
|
p += strlen (p);
|
|
}
|
|
-
|
|
+
|
|
if (print_block_size)
|
|
{
|
|
char hbuf[LONGEST_HUMAN_READABLE + 1];
|
|
@@ -3510,9 +3543,15 @@ print_long_format (const struct fileinfo
|
|
The latter is wrong when nlink_width is zero. */
|
|
p += strlen (p);
|
|
|
|
+ if (print_scontext)
|
|
+ {
|
|
+ sprintf (p, "%-32s ", f->scontext ? f->scontext : "");
|
|
+ p += strlen (p);
|
|
+ }
|
|
+
|
|
DIRED_INDENT ();
|
|
|
|
- if (print_owner | print_group | print_author | print_scontext)
|
|
+ if (print_owner | print_group | print_author)
|
|
{
|
|
DIRED_FPUTS (buf, stdout, p - buf);
|
|
|
|
@@ -3525,9 +3564,6 @@ print_long_format (const struct fileinfo
|
|
if (print_author)
|
|
format_user (f->stat.st_author, author_width, f->stat_ok);
|
|
|
|
- if (print_scontext)
|
|
- format_user_or_group (f->scontext, 0, scontext_width);
|
|
-
|
|
p = buf;
|
|
}
|
|
|
|
@@ -3864,9 +3900,6 @@ print_file_name_and_frills (const struct
|
|
human_readable (ST_NBLOCKS (f->stat), buf, human_output_opts,
|
|
ST_NBLOCKSIZE, output_block_size));
|
|
|
|
- if (print_scontext)
|
|
- printf ("%*s ", format == with_commas ? 0 : scontext_width, f->scontext);
|
|
-
|
|
print_name_with_quoting (f->name, FILE_OR_LINK_MODE (f), f->linkok,
|
|
f->stat_ok, f->filetype, NULL);
|
|
|
|
@@ -4030,9 +4063,6 @@ length_of_file_name_and_frills (const st
|
|
output_block_size))
|
|
: block_size_width);
|
|
|
|
- if (print_scontext)
|
|
- len += 1 + (format == with_commas ? strlen (f->scontext) : scontext_width);
|
|
-
|
|
quote_name (NULL, f->name, filename_quoting_options, &name_width);
|
|
len += name_width;
|
|
|
|
@@ -4461,9 +4491,16 @@ Mandatory arguments to long options are
|
|
-w, --width=COLS assume screen width instead of current value\n\
|
|
-x list entries by lines instead of by columns\n\
|
|
-X sort alphabetically by entry extension\n\
|
|
- -Z, --context print any SELinux security context of each file\n\
|
|
-1 list one file per line\n\
|
|
"), stdout);
|
|
+ fputs(_("\nSELINUX options:\n\n\
|
|
+ --lcontext Display security context. Enable -l. Lines\n\
|
|
+ will probably be too wide for most displays.\n\
|
|
+ -Z, --context Display security context so it fits on most\n\
|
|
+ displays. Displays only mode, user, group,\n\
|
|
+ security context and file name.\n\
|
|
+ --scontext Display only security context and file name.\n\
|
|
+"), stdout);
|
|
fputs (HELP_OPTION_DESCRIPTION, stdout);
|
|
fputs (VERSION_OPTION_DESCRIPTION, stdout);
|
|
fputs (_("\n\
|
|
@@ -4487,3 +4524,67 @@ Exit status is 0 if OK, 1 if minor probl
|
|
}
|
|
exit (status);
|
|
}
|
|
+
|
|
+static void
|
|
+print_scontext_format (const struct fileinfo *f)
|
|
+{
|
|
+ char modebuf[12];
|
|
+
|
|
+ /* 7 fields that may require LONGEST_HUMAN_READABLE bytes,
|
|
+ 1 10-byte mode string,
|
|
+ 9 spaces, one following each of these fields, and
|
|
+ 1 trailing NUL byte. */
|
|
+
|
|
+ char init_bigbuf[7 * LONGEST_HUMAN_READABLE + 10 + 9 + 1];
|
|
+ char *buf = init_bigbuf;
|
|
+ size_t bufsize = sizeof (init_bigbuf);
|
|
+ size_t s;
|
|
+ char *p;
|
|
+ const char *fmt;
|
|
+ char *user_name;
|
|
+ char *group_name;
|
|
+ int rv;
|
|
+ char *scontext;
|
|
+
|
|
+ p = buf;
|
|
+
|
|
+ if ( print_scontext ) { /* zero means terse listing */
|
|
+ filemodestring (&f->stat, modebuf);
|
|
+ modebuf[10] = (f->have_acl ? '+' : ' ');
|
|
+ modebuf[11] = '\0';
|
|
+
|
|
+ /* print mode */
|
|
+
|
|
+ (void) sprintf (p, "%s ", modebuf);
|
|
+ p += strlen (p);
|
|
+
|
|
+ /* print standard user and group */
|
|
+
|
|
+ DIRED_FPUTS (buf, stdout, p - buf);
|
|
+ format_user (f->stat.st_uid, owner_width, f->stat_ok);
|
|
+ format_group (f->stat.st_gid, group_width, f->stat_ok);
|
|
+ p = buf;
|
|
+ }
|
|
+
|
|
+ (void) sprintf (p, "%-32s ", f->scontext ?: "");
|
|
+ p += strlen (p);
|
|
+
|
|
+ DIRED_INDENT ();
|
|
+ DIRED_FPUTS (buf, stdout, p - buf);
|
|
+ print_name_with_quoting (f->name, f->stat.st_mode, f->linkok,
|
|
+ f->stat_ok, f->filetype, &dired_obstack);
|
|
+
|
|
+ if (f->filetype == symbolic_link) {
|
|
+ if (f->linkname) {
|
|
+ DIRED_FPUTS_LITERAL (" -> ", stdout);
|
|
+ print_name_with_quoting (f->linkname, f->linkmode, f->linkok - 1,
|
|
+ f->stat_ok, f->filetype, NULL);
|
|
+ if (indicator_style != none)
|
|
+ print_type_indicator (f->stat_ok, f->linkmode, f->filetype);
|
|
+ }
|
|
+ }
|
|
+ else {
|
|
+ if (indicator_style != none)
|
|
+ print_type_indicator (f->stat_ok, f->stat.st_mode, f->filetype);
|
|
+ }
|
|
+}
|
|
diff -urp coreutils-6.10-orig/src/mkdir.c coreutils-6.10/src/mkdir.c
|
|
--- coreutils-6.10-orig/src/mkdir.c 2008-01-05 23:58:25.000000000 +0100
|
|
+++ coreutils-6.10/src/mkdir.c 2008-01-25 16:35:14.000000000 +0100
|
|
@@ -41,6 +41,7 @@ char *program_name;
|
|
static struct option const longopts[] =
|
|
{
|
|
{GETOPT_SELINUX_CONTEXT_OPTION_DECL},
|
|
+ {"context", required_argument, NULL, 'Z'},
|
|
{"mode", required_argument, NULL, 'm'},
|
|
{"parents", no_argument, NULL, 'p'},
|
|
{"verbose", no_argument, NULL, 'v'},
|
|
@@ -69,8 +70,8 @@ Mandatory arguments to long options are
|
|
-m, --mode=MODE set file mode (as in chmod), not a=rwx - umask\n\
|
|
-p, --parents no error if existing, make parent directories as needed\n\
|
|
-v, --verbose print a message for each created directory\n\
|
|
- -Z, --context=CTX set the SELinux security context of each created\n\
|
|
- directory to CTX\n\
|
|
+ -Z, --context=CONTEXT set the SELinux security context of each created\n\
|
|
+ createddirectory to CONTEXT\n\
|
|
"), stdout);
|
|
fputs (HELP_OPTION_DESCRIPTION, stdout);
|
|
fputs (VERSION_OPTION_DESCRIPTION, stdout);
|
|
@@ -173,6 +174,12 @@ main (int argc, char **argv)
|
|
options.created_directory_format = _("created directory %s");
|
|
break;
|
|
case 'Z':
|
|
+ /* politely decline if we're not on a selinux-enabled kernel. */
|
|
+ if( !(is_selinux_enabled()>0)) {
|
|
+ fprintf( stderr, "Sorry, --context (-Z) can be used only on "
|
|
+ "a selinux-enabled kernel.\n" );
|
|
+ exit( 1 );
|
|
+ }
|
|
scontext = optarg;
|
|
break;
|
|
case_GETOPT_HELP_CHAR;
|
|
diff -urp coreutils-6.10-orig/src/mkfifo.c coreutils-6.10/src/mkfifo.c
|
|
--- coreutils-6.10-orig/src/mkfifo.c 2008-01-05 23:58:25.000000000 +0100
|
|
+++ coreutils-6.10/src/mkfifo.c 2008-01-25 16:58:15.000000000 +0100
|
|
@@ -58,7 +58,8 @@ Create named pipes (FIFOs) with the give
|
|
\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
- -Z, --context=CTX set the SELinux security context of each NAME to CTX\n\
|
|
+ -Z, --context=CONTEXT set the SELinux security context \n\
|
|
+ of each NAME to CONTEXT(quoted string)\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
Mandatory arguments to long options are mandatory for short options too.\n\
|
|
@@ -98,6 +99,12 @@ main (int argc, char **argv)
|
|
specified_mode = optarg;
|
|
break;
|
|
case 'Z':
|
|
+ if (!(0 < is_selinux_enabled()))
|
|
+ {
|
|
+ fprintf( stderr, "Sorry, --context (-Z) can be used only on "
|
|
+ "a selinux-enabled kernel.\n" );
|
|
+ exit (1);
|
|
+ }
|
|
scontext = optarg;
|
|
break;
|
|
case_GETOPT_HELP_CHAR;
|
|
diff -urp coreutils-6.10-orig/src/mknod.c coreutils-6.10/src/mknod.c
|
|
--- coreutils-6.10-orig/src/mknod.c 2008-01-05 23:58:25.000000000 +0100
|
|
+++ coreutils-6.10/src/mknod.c 2008-01-25 17:01:11.000000000 +0100
|
|
@@ -38,7 +38,7 @@ char *program_name;
|
|
|
|
static struct option const longopts[] =
|
|
{
|
|
- {GETOPT_SELINUX_CONTEXT_OPTION_DECL},
|
|
+ {GETOPT_SELINUX_CONTEXT_OPTION_DECL},
|
|
{"mode", required_argument, NULL, 'm'},
|
|
{GETOPT_HELP_OPTION_DECL},
|
|
{GETOPT_VERSION_OPTION_DECL},
|
|
@@ -60,7 +60,8 @@ Create the special file NAME of the give
|
|
\n\
|
|
"), stdout);
|
|
fputs(_("\
|
|
- -Z, --context=CTX set the SELinux security context of NAME to CTX\n\
|
|
+ -Z, --context=CONTEXT set the SELinux security context \n\
|
|
+ of NAME to CONTEXT(quoted string)\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
Mandatory arguments to long options are mandatory for short options too.\n\
|
|
@@ -114,6 +115,12 @@ main (int argc, char **argv)
|
|
specified_mode = optarg;
|
|
break;
|
|
case 'Z':
|
|
+ /* politely decline if we're not on a selinux-enabled kernel. */
|
|
+ if( !(is_selinux_enabled()>0)) {
|
|
+ fprintf( stderr, "Sorry, --context (-Z) can be used only on "
|
|
+ "a selinux-enabled kernel.\n" );
|
|
+ exit( 1 );
|
|
+ }
|
|
scontext = optarg;
|
|
break;
|
|
case_GETOPT_HELP_CHAR;
|
|
diff -urp coreutils-6.10-orig/src/mv.c coreutils-6.10/src/mv.c
|
|
--- coreutils-6.10-orig/src/mv.c 2008-01-05 23:59:11.000000000 +0100
|
|
+++ coreutils-6.10/src/mv.c 2008-01-25 17:11:50.000000000 +0100
|
|
@@ -137,6 +137,7 @@ cp_option_init (struct cp_options *x)
|
|
x->preserve_mode = true;
|
|
x->preserve_timestamps = true;
|
|
x->preserve_security_context = selinux_enabled;
|
|
+ x->set_security_context = false;
|
|
x->require_preserve = false; /* FIXME: maybe make this an option */
|
|
x->require_preserve_context = false;
|
|
x->recursive = true;
|
|
diff -urp coreutils-6.10-orig/src/stat.c coreutils-6.10/src/stat.c
|
|
--- coreutils-6.10-orig/src/stat.c 2008-01-05 23:59:11.000000000 +0100
|
|
+++ coreutils-6.10/src/stat.c 2008-01-25 16:50:24.000000000 +0100
|
|
@@ -831,7 +831,7 @@ print_it (char const *format, char const
|
|
|
|
/* Stat the file system and print what we find. */
|
|
static bool
|
|
-do_statfs (char const *filename, bool terse, char const *format)
|
|
+do_statfs (char const *filename, bool terse, bool secure, char const *format)
|
|
{
|
|
STRUCT_STATVFS statfsbuf;
|
|
|
|
@@ -843,15 +843,31 @@ do_statfs (char const *filename, bool te
|
|
}
|
|
|
|
if (format == NULL)
|
|
+ {
|
|
+ if (terse)
|
|
{
|
|
- format = (terse
|
|
- ? "%n %i %l %t %s %S %b %f %a %c %d\n"
|
|
- : " File: \"%n\"\n"
|
|
- " ID: %-8i Namelen: %-7l Type: %T\n"
|
|
- "Block size: %-10s Fundamental block size: %S\n"
|
|
- "Blocks: Total: %-10b Free: %-10f Available: %a\n"
|
|
- "Inodes: Total: %-10c Free: %d\n");
|
|
+ if (secure)
|
|
+ format = "%n %i %l %t %s %S %b %f %a %c %d %C\n";
|
|
+ else
|
|
+ format = "%n %i %l %t %s %S %b %f %a %c %d\n";
|
|
}
|
|
+ else
|
|
+ {
|
|
+ if (secure)
|
|
+ format = " File: \"%n\"\n"
|
|
+ " ID: %-8i Namelen: %-7l Type: %T\n"
|
|
+ "Block size: %-10s Fundamental block size: %S\n"
|
|
+ "Blocks: Total: %-10b Free: %-10f Available: %a\n"
|
|
+ "Inodes: Total: %-10c Free: %d\n"
|
|
+ " S_Context: %C\n";
|
|
+ else
|
|
+ format = " File: \"%n\"\n"
|
|
+ " ID: %-8i Namelen: %-7l Type: %T\n"
|
|
+ "Block size: %-10s Fundamental block size: %S\n"
|
|
+ "Blocks: Total: %-10b Free: %-10f Available: %a\n"
|
|
+ "Inodes: Total: %-10c Free: %d\n";
|
|
+ }
|
|
+ }
|
|
|
|
print_it (format, filename, print_statfs, &statfsbuf);
|
|
return true;
|
|
@@ -859,7 +875,7 @@ do_statfs (char const *filename, bool te
|
|
|
|
/* stat the file and print what we find */
|
|
static bool
|
|
-do_stat (char const *filename, bool terse, char const *format)
|
|
+do_stat (char const *filename, bool secure , bool terse, char const *format)
|
|
{
|
|
struct stat statbuf;
|
|
|
|
@@ -872,9 +888,12 @@ do_stat (char const *filename, bool ters
|
|
if (format == NULL)
|
|
{
|
|
if (terse)
|
|
- {
|
|
- format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n";
|
|
- }
|
|
+ {
|
|
+ if (secure)
|
|
+ format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o %C\n";
|
|
+ else
|
|
+ format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n";
|
|
+ }
|
|
else
|
|
{
|
|
/* Temporary hack to match original output until conditional
|
|
@@ -891,12 +910,22 @@ do_stat (char const *filename, bool ters
|
|
}
|
|
else
|
|
{
|
|
- format =
|
|
- " File: %N\n"
|
|
- " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
|
|
- "Device: %Dh/%dd\tInode: %-10i Links: %h\n"
|
|
- "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n"
|
|
- "Access: %x\n" "Modify: %y\n" "Change: %z\n";
|
|
+ if (secure)
|
|
+ format =
|
|
+ " File: %N\n"
|
|
+ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
|
|
+ "Device: %Dh/%dd\tInode: %-10i Links: %-5h"
|
|
+ " Device type: %t,%T\n"
|
|
+ "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n"
|
|
+ " S_Context: %C\n"
|
|
+ "Access: %x\n" "Modify: %y\n" "Change: %z\n";
|
|
+ else
|
|
+ format =
|
|
+ " File: %N\n"
|
|
+ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
|
|
+ "Device: %Dh/%dd\tInode: %-10i Links: %h\n"
|
|
+ "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n"
|
|
+ "Access: %x\n" "Modify: %y\n" "Change: %z\n";
|
|
}
|
|
}
|
|
}
|
|
@@ -917,6 +946,7 @@ usage (int status)
|
|
Display file or file system status.\n\
|
|
\n\
|
|
-L, --dereference follow links\n\
|
|
+ -Z, --context print the SELinux security context \n\
|
|
-f, --file-system display file system status instead of file status\n\
|
|
"), stdout);
|
|
fputs (_("\
|
|
@@ -1001,6 +1031,7 @@ main (int argc, char *argv[])
|
|
int i;
|
|
bool fs = false;
|
|
bool terse = false;
|
|
+ bool secure = false;
|
|
char *format = NULL;
|
|
bool ok = true;
|
|
|
|
@@ -1040,9 +1071,13 @@ main (int argc, char *argv[])
|
|
terse = true;
|
|
break;
|
|
|
|
- case 'Z': /* FIXME: remove in 2010, warn in mid 2008 */
|
|
- /* Ignored, for compatibility with distributions
|
|
- that implemented this before upstream. */
|
|
+ case 'Z':
|
|
+ if((is_selinux_enabled()>0))
|
|
+ secure = 1;
|
|
+ else {
|
|
+ error (0, 0, _("Kernel is not SELinux enabled"));
|
|
+ usage (EXIT_FAILURE);
|
|
+ }
|
|
break;
|
|
|
|
case_GETOPT_HELP_CHAR;
|
|
@@ -1062,8 +1097,8 @@ main (int argc, char *argv[])
|
|
|
|
for (i = optind; i < argc; i++)
|
|
ok &= (fs
|
|
- ? do_statfs (argv[i], terse, format)
|
|
- : do_stat (argv[i], terse, format));
|
|
+ ? do_statfs (argv[i], terse, secure, format)
|
|
+ : do_stat (argv[i], terse, secure, format));
|
|
|
|
exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
|
|
}
|
|
diff -urp coreutils-6.10-orig/tests/misc/selinux coreutils-6.10/tests/misc/selinux
|
|
--- coreutils-6.10-orig/tests/misc/selinux 2008-01-11 11:34:22.000000000 +0100
|
|
+++ coreutils-6.10/tests/misc/selinux 2008-01-25 18:17:59.000000000 +0100
|
|
@@ -32,12 +32,10 @@ chcon $ctx f d p 2>/dev/null || {
|
|
|
|
# inspect that context with both ls -Z and stat.
|
|
for i in d f p; do
|
|
- c=`ls -dogZ $i|cut -d' ' -f3`; test x$c = x$ctx || fail=1
|
|
+ c=`ls -dogZ $i|cut -d' ' -f5`; test x$c = x$ctx || fail=1
|
|
c=`stat --printf %C $i`; test x$c = x$ctx || fail=1
|
|
done
|
|
|
|
-# ensure that ls -l output includes the "+".
|
|
-c=`ls -l f|cut -c11`; test "$c" = + || fail=1
|
|
|
|
# Copy each to a new directory and ensure that context is preserved.
|
|
cp -r --preserve=all d f p s1 || fail=1
|