diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2016-07-08 18:59:35 +0200 |
|---|---|---|
| committer | Pádraig Brady <P@draigBrady.com> | 2016-07-08 18:40:23 +0100 |
| commit | 502518b44039138d148e2e15157d125c82d02af0 (patch) | |
| tree | eb58a064b254bf46526c372059c88d334778c8f3 /src | |
| parent | 54c1397510cb08433680b5b7da46a8201770e9ee (diff) | |
| download | coreutils-502518b44039138d148e2e15157d125c82d02af0.tar.xz | |
install: with -Z, set default SELinux context for created directories
* doc/coreutils.texi (install invocation): Update -Z documentation.
* src/install.c (make_ancestor): Set default security context before
calling mkdir() if the -Z option is given.
(process_dir): Call restorecon() on the destination directory if the
-Z option is given.
(usage): Update -Z documentation.
* tests/install/install-Z-selinux.sh: A new test for 'install -Z -D'
and 'install -Z -d' based on tests/mkdir/restorecon.sh.
* tests/local.mk: Reference the test.
* NEWS: Mention the improvement.
Reported at https://bugzilla.redhat.com/1339135
Fixes http://bugs.gnu.org/23868
Diffstat (limited to 'src')
| -rw-r--r-- | src/install.c | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/src/install.c b/src/install.c index 2ff279c01..1e1fed5b6 100644 --- a/src/install.c +++ b/src/install.c @@ -39,6 +39,7 @@ #include "prog-fprintf.h" #include "quote.h" #include "savewd.h" +#include "selinux.h" #include "stat-time.h" #include "utimens.h" #include "xstrtol.h" @@ -423,6 +424,12 @@ announce_mkdir (char const *dir, void *options) static int make_ancestor (char const *dir, char const *component, void *options) { + struct cp_options const *x = options; + if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0 + && ! ignorable_ctx_err (errno)) + error (0, errno, _("failed to set default creation context for %s"), + quoteaf (dir)); + int r = mkdir (component, DEFAULT_MODE); if (r == 0) announce_mkdir (dir, options); @@ -433,12 +440,28 @@ make_ancestor (char const *dir, char const *component, void *options) static int process_dir (char *dir, struct savewd *wd, void *options) { - return (make_dir_parents (dir, wd, - make_ancestor, options, - dir_mode, announce_mkdir, - dir_mode_bits, owner_id, group_id, false) + struct cp_options const *x = options; + + int ret = (make_dir_parents (dir, wd, make_ancestor, options, + dir_mode, announce_mkdir, + dir_mode_bits, owner_id, group_id, false) ? EXIT_SUCCESS : EXIT_FAILURE); + + /* FIXME: Due to the current structure of make_dir_parents() + we don't have the facility to call defaultcon() before the + final component of DIR is created. So for now, create the + final component with the context from previous component + and here we set the context for the final component. */ + if (ret == EXIT_SUCCESS && x->set_security_context) + { + if (! restorecon (last_component (dir), false, false) + && ! ignorable_ctx_err (errno)) + error (0, errno, _("failed to restore context for %s"), + quoteaf (dir)); + } + + return ret; } /* Copy file FROM onto file TO, creating TO if necessary. @@ -651,7 +674,7 @@ In the 4th form, create all components of the given DIRECTORY(ies).\n\ fputs (_("\ --preserve-context preserve SELinux security context\n\ -Z set SELinux security context of destination\n\ - file to default type\n\ + file and each created directory to default type\n\ --context[=CTX] like -Z, or if CTX is specified then set the\n\ SELinux or SMACK security context to CTX\n\ "), stdout); |