[ostree] admin: selinux-ensure-labeled: new builtin
- From: Colin Walters <walters src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [ostree] admin: selinux-ensure-labeled: new builtin
- Date: Thu, 13 Mar 2014 12:52:21 +0000 (UTC)
commit e11de9357cea643b45a2e5e3f94d33dbd84d9ca3
Author: Colin Walters <walters verbum org>
Date: Thu Mar 13 08:14:26 2014 -0400
admin: selinux-ensure-labeled: new builtin
Code like rpm-ostree generates disk images directly. In order to
ensure SELinux labeling is correct, it currently has a helper program
that runs over the deployment root, then over the whole disk and to
only set a label if none exist.
In order to make it easier to write installers such as Anaconda
without having them depend on rpm-ostree (or whatever other
build-server side program), pull in the helper code here.
Makefile-ostree.am | 1 +
.../ot-admin-builtin-selinux-ensure-labeled.c | 232 ++++++++++++++++++++
src/ostree/ot-admin-builtins.h | 1 +
src/ostree/ot-builtin-admin.c | 3 +
4 files changed, 237 insertions(+), 0 deletions(-)
---
diff --git a/Makefile-ostree.am b/Makefile-ostree.am
index 52f50e2..8537b19 100644
--- a/Makefile-ostree.am
+++ b/Makefile-ostree.am
@@ -58,6 +58,7 @@ ostree_SOURCES += \
src/ostree/ot-admin-builtin-undeploy.c \
src/ostree/ot-admin-builtin-cleanup.c \
src/ostree/ot-admin-builtin-os-init.c \
+ src/ostree/ot-admin-builtin-selinux-ensure-labeled.c \
src/ostree/ot-admin-builtin-status.c \
src/ostree/ot-admin-builtin-switch.c \
src/ostree/ot-admin-builtin-upgrade.c \
diff --git a/src/ostree/ot-admin-builtin-selinux-ensure-labeled.c
b/src/ostree/ot-admin-builtin-selinux-ensure-labeled.c
new file mode 100644
index 0000000..4fc671e
--- /dev/null
+++ b/src/ostree/ot-admin-builtin-selinux-ensure-labeled.c
@@ -0,0 +1,232 @@
+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*-
+ *
+ * Copyright (C) 2014 Colin Walters <walters verbum org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; either version 2 of the licence or (at
+ * your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General
+ * Public License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <string.h>
+#include <glib-unix.h>
+
+#include "ot-admin-builtins.h"
+#include "ot-admin-functions.h"
+
+#include "otutil.h"
+
+static char *
+ptrarray_path_join (GPtrArray *path)
+{
+ GString *path_buf;
+
+ path_buf = g_string_new ("");
+
+ if (path->len == 0)
+ g_string_append_c (path_buf, '/');
+ else
+ {
+ guint i;
+ for (i = 0; i < path->len; i++)
+ {
+ const char *elt = path->pdata[i];
+
+ g_string_append_c (path_buf, '/');
+ g_string_append (path_buf, elt);
+ }
+ }
+
+ return g_string_free (path_buf, FALSE);
+}
+
+static gboolean
+relabel_one_path (OstreeSePolicy *sepolicy,
+ GFile *path,
+ GFileInfo *info,
+ GPtrArray *path_parts,
+ GCancellable *cancellable,
+ GError **error)
+{
+ gboolean ret = FALSE;
+ gs_free char *relpath = NULL;
+ gs_free char *new_label = NULL;
+
+ relpath = ptrarray_path_join (path_parts);
+ if (!ostree_sepolicy_restorecon (sepolicy, relpath,
+ info, path,
+ OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL |
+ OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING,
+ &new_label,
+ cancellable, error))
+ {
+ g_prefix_error (error, "Setting context of %s: ", gs_file_get_path_cached (path));
+ goto out;
+ }
+
+ if (new_label)
+ g_print ("Set label of '%s' (as '%s') to '%s'\n",
+ gs_file_get_path_cached (path),
+ relpath,
+ new_label);
+
+ ret = TRUE;
+ out:
+ return ret;
+}
+
+static gboolean
+relabel_recursively (OstreeSePolicy *sepolicy,
+ GFile *dir,
+ GFileInfo *dir_info,
+ GPtrArray *path_parts,
+ GCancellable *cancellable,
+ GError **error)
+{
+ gboolean ret = FALSE;
+ gs_unref_object GFileEnumerator *direnum = NULL;
+
+ if (!relabel_one_path (sepolicy, dir, dir_info, path_parts,
+ cancellable, error))
+ goto out;
+
+ direnum = g_file_enumerate_children (dir, OSTREE_GIO_FAST_QUERYINFO,
+ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+ cancellable, error);
+ if (!direnum)
+ goto out;
+
+ while (TRUE)
+ {
+ GFileInfo *file_info;
+ GFile *child;
+ GFileType ftype;
+
+ if (!gs_file_enumerator_iterate (direnum, &file_info, &child,
+ cancellable, error))
+ goto out;
+ if (file_info == NULL)
+ break;
+
+ g_ptr_array_add (path_parts, (char*)gs_file_get_basename_cached (child));
+
+ ftype = g_file_info_get_file_type (file_info);
+ if (ftype == G_FILE_TYPE_DIRECTORY)
+ {
+ if (!relabel_recursively (sepolicy, child, file_info, path_parts,
+ cancellable, error))
+ goto out;
+ }
+ else
+ {
+ if (!relabel_one_path (sepolicy, child, file_info, path_parts,
+ cancellable, error))
+ goto out;
+ }
+
+ g_ptr_array_remove_index (path_parts, path_parts->len - 1);
+ }
+
+ ret = TRUE;
+ out:
+ return ret;
+}
+
+static gboolean
+selinux_relabel_dir (OstreeSePolicy *sepolicy,
+ GFile *dir,
+ const char *prefix,
+ GCancellable *cancellable,
+ GError **error)
+{
+ gboolean ret = FALSE;
+ gs_unref_ptrarray GPtrArray *path_parts = g_ptr_array_new ();
+ gs_unref_object GFileInfo *root_info = NULL;
+
+ root_info = g_file_query_info (dir, OSTREE_GIO_FAST_QUERYINFO,
+ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+ cancellable, error);
+ if (!root_info)
+ goto out;
+
+ g_ptr_array_add (path_parts, (char*)prefix);
+ if (!relabel_recursively (sepolicy, dir, root_info, path_parts,
+ cancellable, error))
+ {
+ g_prefix_error (error, "Relabeling /%s: ", prefix);
+ goto out;
+ }
+
+ ret = TRUE;
+ out:
+ return ret;
+}
+
+gboolean
+ot_admin_builtin_selinux_ensure_labeled (int argc, char **argv, OstreeSysroot *sysroot, GCancellable
*cancellable, GError **error)
+{
+ gboolean ret = FALSE;
+ const char *policy_name;
+ gs_unref_object GFile *subpath = NULL;
+ const char *prefix;
+ gs_unref_object OstreeSePolicy *sepolicy = NULL;
+ gs_unref_ptrarray GPtrArray *deployments = NULL;
+ OstreeDeployment *first_deployment;
+ gs_unref_object GFile *deployment_path = NULL;
+
+ if (argc < 3)
+ {
+ g_printerr ("usage: %s SUBPATH PREFIX\n", argv[0]);
+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ "Option processing failed");
+ goto out;
+ }
+
+ subpath = g_file_new_for_path (argv[1]);
+ prefix = argv[2];
+
+ if (!ostree_sysroot_load (sysroot, cancellable, error))
+ goto out;
+
+ deployments = ostree_sysroot_get_deployments (sysroot);
+ if (deployments->len == 0)
+ {
+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ "Unable to find a deployment in sysroot");
+ goto out;
+ }
+ first_deployment = deployments->pdata[0];
+ deployment_path = ostree_sysroot_get_deployment_directory (sysroot, first_deployment);
+
+ sepolicy = ostree_sepolicy_new (deployment_path, cancellable, error);
+ if (!sepolicy)
+ goto out;
+
+ policy_name = ostree_sepolicy_get_name (sepolicy);
+ if (policy_name)
+ {
+ g_print ("Relabeling using policy '%s'\n", policy_name);
+ if (!selinux_relabel_dir (sepolicy, subpath, prefix,
+ cancellable, error))
+ goto out;
+ }
+ else
+ g_print ("No SELinux policy found in deployment '%s'\n",
+ gs_file_get_path_cached (deployment_path));
+
+ ret = TRUE;
+ out:
+ return ret;
+}
diff --git a/src/ostree/ot-admin-builtins.h b/src/ostree/ot-admin-builtins.h
index e25a520..2ccf2e6 100644
--- a/src/ostree/ot-admin-builtins.h
+++ b/src/ostree/ot-admin-builtins.h
@@ -26,6 +26,7 @@
G_BEGIN_DECLS
+gboolean ot_admin_builtin_selinux_ensure_labeled (int argc, char **argv, OstreeSysroot *sysroot,
GCancellable *cancellable, GError **error);
gboolean ot_admin_builtin_os_init (int argc, char **argv, OstreeSysroot *sysroot, GCancellable *cancellable,
GError **error);
gboolean ot_admin_builtin_install (int argc, char **argv, OstreeSysroot *sysroot, GCancellable *cancellable,
GError **error);
gboolean ot_admin_builtin_init_fs (int argc, char **argv, OstreeSysroot *sysroot, GCancellable *cancellable,
GError **error);
diff --git a/src/ostree/ot-builtin-admin.c b/src/ostree/ot-builtin-admin.c
index e4ff7fe..7ba4fc5 100644
--- a/src/ostree/ot-builtin-admin.c
+++ b/src/ostree/ot-builtin-admin.c
@@ -38,6 +38,9 @@ typedef struct {
} OstreeAdminCommand;
static OstreeAdminCommand admin_subcommands[] = {
+#ifdef HAVE_SELINUX
+ { "selinux-ensure-labeled", ot_admin_builtin_selinux_ensure_labeled },
+#endif
{ "os-init", ot_admin_builtin_os_init },
{ "init-fs", ot_admin_builtin_init_fs },
{ "deploy", ot_admin_builtin_deploy },
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
