| diff -urp coreutils-6.10-orig/configure.ac coreutils-6.10/configure.ac |
| |
| |
| @@ -51,6 +51,13 @@ AC_ARG_ENABLE(pam, dnl |
| LIB_PAM="-ldl -lpam -lpam_misc" |
| AC_SUBST(LIB_PAM)]) |
| |
| +dnl Give the chance to enable SELINUX |
| +AC_ARG_ENABLE(selinux, dnl |
| +[ --enable-selinux Enable use of the SELINUX libraries], |
| +[AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELINUX]) |
| +LIB_SELINUX="-lselinux" |
| +AC_SUBST(LIB_SELINUX)]) |
| + |
| AC_FUNC_FORK |
| |
| optional_bin_progs= |
| diff -urp coreutils-6.10-orig/man/cp.1 coreutils-6.10/man/cp.1 |
| |
| |
| @@ -58,7 +58,7 @@ same as \fB\-\-preserve\fR=\fImode\fR,ow |
| \fB\-\-preserve\fR[=\fIATTR_LIST\fR] |
| preserve the specified attributes (default: |
| mode,ownership,timestamps), if possible |
| -additional attributes: context, links, all |
| +additional attributes: security context, links, all |
| .TP |
| \fB\-\-no\-preserve\fR=\fIATTR_LIST\fR |
| don't preserve the specified attributes |
| @@ -102,6 +102,9 @@ explain what is being done |
| .TP |
| \fB\-x\fR, \fB\-\-one\-file\-system\fR |
| stay on this file system |
| +\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR |
| +(SELinux) set SELinux security context of copy to CONTEXT |
| +.TP |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urp coreutils-6.10-orig/man/dir.1 coreutils-6.10/man/dir.1 |
| |
| |
| @@ -203,11 +203,24 @@ list entries by lines instead of by colu |
| \fB\-X\fR |
| sort alphabetically by entry extension |
| .TP |
| -\fB\-Z\fR, \fB\-\-context\fR |
| -print any SELinux security context of each file |
| -.TP |
| \fB\-1\fR |
| list one file per line |
| +.PP |
| +SELINUX options: |
| +.TP |
| +\fB\-\-lcontext\fR |
| +Display SELinux security context. |
| +Enable \fB\-l\fR. Lines will probably be too |
| +wide for most displays. |
| +.TP |
| +\fB\-\-context\fR |
| +Display SELinux security context so it fits |
| +on most displays. Displays only mode, user, |
| +group, security context and file name. |
| +.TP |
| +\fB\-\-scontext\fR |
| +Display only SELinux security context and |
| +file name. |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urp coreutils-6.10-orig/man/chcon.1 coreutils-6.10/man/chcon.1 |
| |
| |
| @@ -1,7 +1,7 @@ |
| .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.35. |
| .TH CHCON "1" "May 2008" "GNU coreutils 6.12" "User Commands" |
| .SH NAME |
| -chcon \- change file security context |
| +chcon \- change file SELinux security context |
| .SH SYNOPSIS |
| .B chcon |
| [\fIOPTION\fR]... \fICONTEXT FILE\fR... |
| @@ -14,7 +14,7 @@ chcon \- change file security context |
| .SH DESCRIPTION |
| .\" Add any additional description here |
| .PP |
| -Change the security context of each FILE to CONTEXT. |
| +Change the SELinux security context of each FILE to CONTEXT. |
| With \fB\-\-reference\fR, change the security context of each FILE to that of RFILE. |
| .TP |
| \fB\-c\fR, \fB\-\-changes\fR |
| @@ -74,6 +74,8 @@ License GPLv3+: GNU GPL version 3 or lat |
| .br |
| This is free software: you are free to change and redistribute it. |
| There is NO WARRANTY, to the extent permitted by law. |
| +.SH "REPORTING BUGS" |
| +Report bugs to <https://bugzilla.redhat.com/bugzilla>. |
| .SH "SEE ALSO" |
| The full documentation for |
| .B chcon |
| diff -urp coreutils-6.10-orig/man/id.1 coreutils-6.10/man/id.1 |
| |
| |
| @@ -14,7 +14,7 @@ Print information for USERNAME, or the c |
| ignore, for compatibility with other versions |
| .TP |
| \fB\-Z\fR, \fB\-\-context\fR |
| -print only the security context of the current user |
| +print only the SELinux security context of the current user |
| .TP |
| \fB\-g\fR, \fB\-\-group\fR |
| print only the effective group ID |
| diff -urp coreutils-6.10-orig/man/install.1 coreutils-6.10/man/install.1 |
| |
| |
| @@ -68,11 +68,11 @@ treat DEST as a normal file |
| \fB\-v\fR, \fB\-\-verbose\fR |
| print the name of each directory as it is created |
| .TP |
| -\fB\-\-preserve\-context\fR |
| -preserve SELinux security context |
| +\fB\-P\fR, \fB\-\-preserve_context\fR \fB\-\-preserve\-context\fR |
| +(SELinux) preserve SELinux security context |
| .TP |
| \fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR |
| -set SELinux security context of files and directories |
| +(SELinux) set SELinux security context of files and directories |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urp coreutils-6.10-orig/man/ls.1 coreutils-6.10/man/ls.1 |
| |
| |
| @@ -203,11 +203,24 @@ list entries by lines instead of by colu |
| \fB\-X\fR |
| sort alphabetically by entry extension |
| .TP |
| -\fB\-Z\fR, \fB\-\-context\fR |
| -print any SELinux security context of each file |
| -.TP |
| \fB\-1\fR |
| list one file per line |
| +.PP |
| +SELinux options: |
| +.TP |
| +\fB\-\-lcontext\fR |
| +Display SELinux security context. |
| +Enable \fB\-l\fR. Lines will probably be too |
| +wide for most displays. |
| +.TP |
| +\fB\-Z\fR, \fB\-\-context\fR |
| +Display SELinux security context so it fits |
| +on most displays. Displays only mode, user, |
| +group, security context and file name. |
| +.TP |
| +\fB\-\-scontext\fR |
| +Display only SELinux security context and |
| +file name. |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urp coreutils-6.10-orig/man/mkdir.1 coreutils-6.10/man/mkdir.1 |
| |
| |
| @@ -21,9 +21,9 @@ no error if existing, make parent direct |
| \fB\-v\fR, \fB\-\-verbose\fR |
| print a message for each created directory |
| .TP |
| -\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR |
| -set the SELinux security context of each created |
| -directory to CTX |
| +\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR |
| +(SELinux) set the SELinux security context of each |
| +created directory to CONTEXT |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urp coreutils-6.10-orig/man/mkfifo.1 coreutils-6.10/man/mkfifo.1 |
| |
| |
| @@ -10,8 +10,8 @@ mkfifo \- make FIFOs (named pipes) |
| .PP |
| Create named pipes (FIFOs) with the given NAMEs. |
| .TP |
| -\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR |
| -set the SELinux security context of each NAME to CTX |
| +\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR |
| +set the SELinux security context of each NAME to CONTEXT(quoted string) |
| .PP |
| Mandatory arguments to long options are mandatory for short options too. |
| .TP |
| diff -urp coreutils-6.10-orig/man/mknod.1 coreutils-6.10/man/mknod.1 |
| |
| |
| @@ -10,8 +10,8 @@ mknod \- make block or character special |
| .PP |
| Create the special file NAME of the given TYPE. |
| .TP |
| -\fB\-Z\fR, \fB\-\-context\fR=\fICTX\fR |
| -set the SELinux security context of NAME to CTX |
| +\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR |
| +set the SELinux security context of NAME to CONTEXT |
| .PP |
| Mandatory arguments to long options are mandatory for short options too. |
| .TP |
| diff -urp coreutils-6.10-orig/man/stat.1 coreutils-6.10/man/stat.1 |
| |
| |
| @@ -28,6 +28,9 @@ If you want a newline, include \en in FO |
| \fB\-t\fR, \fB\-\-terse\fR |
| print the information in terse form |
| .TP |
| +\fB\-Z\fR, \fB\-\-context\fR |
| +print security context information for SELinux if available. |
| +.TP |
| \fB\-\-help\fR |
| display this help and exit |
| .TP |
| diff -urp coreutils-6.10-orig/man/vdir.1 coreutils-6.10/man/vdir.1 |
| |
| |
| @@ -208,6 +208,20 @@ print any SELinux security context of ea |
| .TP |
| \fB\-1\fR |
| list one file per line |
| +.PP |
| +SELINUX options: |
| +.TP |
| +\fB\-\-lcontext\fR |
| +Display SELinux security context. Enable \fB\-l\fR. |
| +Lines will probably be too wide for most displays. |
| +.TP |
| +\fB\-\-context\fR |
| +Display SELinux security context so it fits |
| +on most displays. Displays only mode, user, |
| +group, SELinux security context and file name. |
| +.TP |
| +\fB\-\-scontext\fR |
| +Display only SELinux security context and file name. |
| .TP |
| \fB\-\-help\fR |
| display this help and exit |
| diff -urNp coreutils-6.12-orig/src/chcon.c coreutils-6.12/src/chcon.c |
| |
| |
| @@ -302,9 +302,11 @@ process_file (FTS *fts, FTSENT *ent) |
| |
| if (ok) |
| { |
| - if (verbose) |
| - printf (_("changing security context of %s"), |
| + if (verbose) { |
| + printf (_("changing security context of %s"), |
| quote (file_full_name)); |
| + putchar ('\n'); |
| + } |
| |
| if (change_file_context (fts->fts_cwd_fd, file) != 0) |
| ok = false; |
| diff -urp coreutils-6.10-orig/src/copy.c coreutils-6.10/src/copy.c |
| |
| |
| @@ -371,9 +371,10 @@ copy_reg (char const *src_name, char con |
| security_context_t con = NULL; |
| if (getfscreatecon (&con) < 0) |
| { |
| - error (0, errno, _("failed to get file system create context")); |
| + //do not show error when we not require security context (-a option) |
| if (x->require_preserve_context) |
| { |
| + error (0, errno, _("failed to get file system create context")); |
| return_val = false; |
| goto close_src_and_dst_desc; |
| } |
| @@ -383,11 +384,12 @@ copy_reg (char const *src_name, char con |
| { |
| if (fsetfilecon (dest_desc, con) < 0) |
| { |
| - error (0, errno, |
| - _("failed to set the security context of %s to %s"), |
| - quote_n (0, dst_name), quote_n (1, con)); |
| + //do not show error when we not require security context (-a option) |
| if (x->require_preserve_context) |
| { |
| + error (0, errno, |
| + _("failed to set the security context of %s to %s"), |
| + quote_n (0, dst_name), quote_n (1, con)); |
| return_val = false; |
| freecon (con); |
| goto close_src_and_dst_desc; |
| @@ -1630,11 +1632,12 @@ copy_internal (char const *src_name, cha |
| { |
| if (setfscreatecon (con) < 0) |
| { |
| - error (0, errno, |
| - _("failed to set default file creation context to %s"), |
| - quote (con)); |
| + //do not show error when we not require security context (-a option) |
| if (x->require_preserve_context) |
| { |
| + error (0, errno, |
| + _("failed to set default file creation context to %s"), |
| + quote (con)); |
| freecon (con); |
| return false; |
| } |
| @@ -1644,12 +1647,14 @@ copy_internal (char const *src_name, cha |
| else |
| { |
| if (errno != ENOTSUP && errno != ENODATA) |
| - { |
| - error (0, errno, |
| - _("failed to get security context of %s"), |
| - quote (src_name)); |
| - if (x->require_preserve_context) |
| - return false; |
| + { |
| + //do not show error when we not require security context (-a option) |
| + if (x->require_preserve_context) { |
| + error (0, errno, |
| + _("failed to get security context of %s"), |
| + quote (src_name)); |
| + return false; |
| + } |
| } |
| } |
| } |
| @@ -1735,6 +1740,8 @@ copy_internal (char const *src_name, cha |
| { |
| /* Here, we are crossing a file system boundary and cp's -x option |
| is in effect: so don't copy the contents of this directory. */ |
| + if (x->preserve_security_context) |
| + restore_default_fscreatecon_or_die (); |
| } |
| else |
| { |
| diff -urp coreutils-6.10-orig/src/copy.h coreutils-6.10/src/copy.h |
| |
| |
| @@ -141,6 +141,9 @@ struct cp_options |
| bool preserve_mode; |
| bool preserve_timestamps; |
| |
| + /* If true, attempt to set specified security context */ |
| + bool set_security_context; |
| + |
| /* Enabled for mv, and for cp by the --preserve=links option. |
| If true, attempt to preserve in the destination files any |
| logical hard links between the source files. If used with cp's |
| diff -urp coreutils-6.10-orig/src/cp.c coreutils-6.10/src/cp.c |
| |
| |
| @@ -147,6 +147,7 @@ static struct option const long_opts[] = |
| {"target-directory", required_argument, NULL, 't'}, |
| {"update", no_argument, NULL, 'u'}, |
| {"verbose", no_argument, NULL, 'v'}, |
| + {"context", required_argument, NULL, 'Z'}, |
| {GETOPT_HELP_OPTION_DECL}, |
| {GETOPT_VERSION_OPTION_DECL}, |
| {NULL, 0, NULL, 0} |
| @@ -175,7 +175,7 @@ Copy SOURCE to DEST, or multiple SOURCE( |
| Mandatory arguments to long options are mandatory for short options too.\n\ |
| "), stdout); |
| fputs (_("\ |
| - -a, --archive same as -dpR\n\ |
| + -a, --archive same as -cdpR\n\ |
| --backup[=CONTROL] make a backup of each existing destination file\n\ |
| -b like --backup but does not accept an argument\n\ |
| --copy-contents copy contents of special files when recursive\n\ |
| @@ -200,6 +201,9 @@ Mandatory arguments to long options are |
| additional attributes: context, links, all\n\ |
| "), stdout); |
| fputs (_("\ |
| + -c same as --preserve=context\n\ |
| +"), stdout); |
| + fputs (_("\ |
| --no-preserve=ATTR_LIST don't preserve the specified attributes\n\ |
| --parents use full source file name under DIRECTORY\n\ |
| "), stdout); |
| @@ -225,6 +229,7 @@ Mandatory arguments to long options are |
| destination file is missing\n\ |
| -v, --verbose explain what is being done\n\ |
| -x, --one-file-system stay on this file system\n\ |
| + -Z, --context=CONTEXT set security context of copy to CONTEXT\n\ |
| "), stdout); |
| fputs (HELP_OPTION_DESCRIPTION, stdout); |
| fputs (VERSION_OPTION_DESCRIPTION, stdout); |
| @@ -774,6 +779,7 @@ cp_option_init (struct cp_options *x) |
| x->preserve_timestamps = false; |
| x->preserve_security_context = false; |
| x->require_preserve_context = false; |
| + x->set_security_context = false; |
| |
| x->require_preserve = false; |
| x->recursive = false; |
| @@ -867,8 +873,10 @@ decode_preserve_arg (char const *arg, st |
| x->preserve_timestamps = on_off; |
| x->preserve_ownership = on_off; |
| x->preserve_links = on_off; |
| - if (selinux_enabled) |
| + if (selinux_enabled) { |
| x->preserve_security_context = on_off; |
| + x->require_preserve_context = on_off; |
| + } |
| break; |
| |
| default: |
| @@ -909,7 +917,7 @@ main (int argc, char **argv) |
| we'll actually use backup_suffix_string. */ |
| backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX"); |
| |
| - while ((c = getopt_long (argc, argv, "abdfHilLprst:uvxPRS:T", |
| + while ((c = getopt_long (argc, argv, "abcdfHilLprst:uvxPRS:TZ", |
| long_opts, NULL)) |
| != -1) |
| { |
| @@ -920,13 +928,15 @@ main (int argc, char **argv) |
| sparse_type_string, sparse_type); |
| break; |
| |
| - case 'a': /* Like -dpPR. */ |
| + case 'a': /* Like -dpPRc. */ |
| x.dereference = DEREF_NEVER; |
| x.preserve_links = true; |
| x.preserve_ownership = true; |
| x.preserve_mode = true; |
| x.preserve_timestamps = true; |
| - x.require_preserve = true; |
| + x.require_preserve = true; |
| + if (selinux_enabled) |
| + x.preserve_security_context = true; |
| x.recursive = true; |
| break; |
| |
| @@ -940,6 +950,16 @@ main (int argc, char **argv) |
| copy_contents = true; |
| break; |
| |
| + case 'c': |
| + if ( x.set_security_context ) { |
| + (void) fprintf(stderr, "%s: cannot force target context and preserve it\n", argv[0]); |
| + exit( 1 ); |
| + } |
| + else if (selinux_enabled) { |
| + x.preserve_security_context = true; |
| + x.require_preserve_context = true; |
| + } |
| + break; |
| case 'd': |
| x.preserve_links = true; |
| x.dereference = DEREF_NEVER; |
| @@ -1052,6 +1072,27 @@ main (int argc, char **argv) |
| x.one_file_system = true; |
| break; |
| |
| + |
| + case 'Z': |
| + /* politely decline if we're not on a selinux-enabled kernel. */ |
| + if( !selinux_enabled ) { |
| + fprintf( stderr, "Warning: ignoring --context (-Z). " |
| + "It requires a SELinux enabled kernel.\n" ); |
| + break; |
| + } |
| + if ( x.preserve_security_context ) { |
| + (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], optarg); |
| + exit( 1 ); |
| + } |
| + x.set_security_context = true; |
| + /* if there's a security_context given set new path |
| + components to that context, too */ |
| + if ( setfscreatecon(optarg) < 0 ) { |
| + (void) fprintf(stderr, _("cannot set default security context %s\n"), optarg); |
| + exit( 1 ); |
| + } |
| + break; |
| + |
| case 'S': |
| make_backups = true; |
| backup_suffix_string = optarg; |
| diff -urp coreutils-6.10-orig/src/id.c coreutils-6.10/src/id.c |
| |
| |
| @@ -110,7 +110,7 @@ int |
| main (int argc, char **argv) |
| { |
| int optc; |
| - int selinux_enabled = (is_selinux_enabled () > 0); |
| + bool selinux_enabled = (is_selinux_enabled () > 0); |
| |
| /* If true, output the list of all group IDs. -G */ |
| bool just_group_list = false; |
| diff -urp coreutils-6.10-orig/src/install.c coreutils-6.10/src/install.c |
| |
| |
| |
| @@ -146,11 +146,11 @@ static struct option const long_options[ |
| {"no-target-directory", no_argument, NULL, 'T'}, |
| {"owner", required_argument, NULL, 'o'}, |
| {"preserve-timestamps", no_argument, NULL, 'p'}, |
| - {"preserve-context", no_argument, NULL, PRESERVE_CONTEXT_OPTION}, |
| + {"preserve-context", no_argument, NULL, 'P'}, |
| /* Continue silent support for --preserve_context until Jan 2008. FIXME-obs |
| After that, FIXME-obs: warn in, say, late 2008, and disable altogether |
| a year or two later. */ |
| - {"preserve_context", no_argument, NULL, PRESERVE_CONTEXT_OPTION}, |
| + {"preserve_context", no_argument, NULL, 'P'}, |
| {"strip", no_argument, NULL, 's'}, |
| {"suffix", required_argument, NULL, 'S'}, |
| {"target-directory", required_argument, NULL, 't'}, |
| @@ -178,6 +178,7 @@ cp_option_init (struct cp_options *x) |
| x->preserve_timestamps = false; |
| x->require_preserve = false; |
| x->require_preserve_context = false; |
| + x->set_security_context = false; |
| x->recursive = false; |
| x->sparse_mode = SPARSE_AUTO; |
| x->symbolic_link = false; |
| @@ -346,7 +338,7 @@ main (int argc, char **argv) |
| we'll actually use backup_suffix_string. */ |
| backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX"); |
| |
| - while ((optc = getopt_long (argc, argv, "bcsDdg:m:o:pt:TvS:Z:", long_options, |
| + while ((optc = getopt_long (argc, argv, "bcsDdg:m:o:pPt:TvS:Z:", long_options, |
| NULL)) != -1) |
| { |
| switch (optc) |
| @@ -408,6 +409,7 @@ main (int argc, char **argv) |
| no_target_directory = true; |
| break; |
| |
| + case 'P': |
| case PRESERVE_CONTEXT_OPTION: |
| if ( ! selinux_enabled) |
| { |
| @@ -415,6 +417,10 @@ main (int argc, char **argv) |
| "this kernel is not SELinux-enabled.")); |
| break; |
| } |
| + if ( x.set_security_context ) { |
| + (void) fprintf(stderr, "%s: cannot force target context and preserve it\n", argv[0]); |
| + exit( 1 ); |
| + } |
| x.preserve_security_context = true; |
| use_default_selinux_context = false; |
| break; |
| @@ -432,6 +432,7 @@ main (int argc, char **argv) |
| break; |
| } |
| scontext = optarg; |
| + x.set_security_context = true; |
| use_default_selinux_context = false; |
| break; |
| case_GETOPT_HELP_CHAR; |
| @@ -825,8 +831,8 @@ Mandatory arguments to long options are |
| -v, --verbose print the name of each directory as it is created\n\ |
| "), stdout); |
| fputs (_("\ |
| - --preserve-context preserve SELinux security context\n\ |
| - -Z, --context=CONTEXT set SELinux security context of files and directories\n\ |
| + -P, --preserve-context (SELinux) preserve security context\n\ |
| + -Z, --context=CONTEXT (SELinux) set security context of files and directories\n\ |
| "), stdout); |
| |
| fputs (HELP_OPTION_DESCRIPTION, stdout); |
| diff -urp coreutils-6.10-orig/src/ls.c coreutils-6.10/src/ls.c |
| |
| |
| @@ -134,7 +134,8 @@ enum filetype |
| symbolic_link, |
| sock, |
| whiteout, |
| - arg_directory |
| + arg_directory, |
| + command_line |
| }; |
| |
| /* Display letters and indicators for each filetype. |
| @@ -177,8 +178,9 @@ struct fileinfo |
| exists, otherwise false. */ |
| bool linkok; |
| |
| - /* For long listings, true if the file has an access control list, |
| - or an SELinux security context. */ |
| + /* For long listings, true if the file has an access control list. |
| + Unlike with upstream not true for SELinux scontext(#430779) as |
| + this removes possibility to detect ACL via ls */ |
| bool have_acl; |
| }; |
| |
| @@ -241,6 +242,7 @@ static void queue_directory (char const |
| static void sort_files (void); |
| static void parse_ls_color (void); |
| void usage (int status); |
| +static void print_scontext_format (const struct fileinfo *f); |
| |
| /* The name this program was run with. */ |
| char *program_name; |
| @@ -314,7 +316,7 @@ static struct pending *pending_dirs; |
| |
| static struct timespec current_time; |
| |
| -static bool print_scontext; |
| +static int print_scontext = 0; |
| static char UNKNOWN_SECURITY_CONTEXT[] = "?"; |
| |
| /* Whether any of the files has an ACL. This affects the width of the |
| @@ -354,7 +356,9 @@ enum format |
| one_per_line, /* -1 */ |
| many_per_line, /* -C */ |
| horizontal, /* -x */ |
| - with_commas /* -m */ |
| + with_commas, /* -m */ |
| + security_format, /* -Z */ |
| + invalid_format |
| }; |
| |
| static enum format format; |
| @@ -731,6 +735,9 @@ enum |
| SHOW_CONTROL_CHARS_OPTION, |
| SI_OPTION, |
| SORT_OPTION, |
| + CONTEXT_OPTION, |
| + LCONTEXT_OPTION, |
| + SCONTEXT_OPTION, |
| TIME_OPTION, |
| TIME_STYLE_OPTION |
| }; |
| @@ -776,7 +783,9 @@ static struct option const long_options[ |
| {"time-style", required_argument, NULL, TIME_STYLE_OPTION}, |
| {"color", optional_argument, NULL, COLOR_OPTION}, |
| {"block-size", required_argument, NULL, BLOCK_SIZE_OPTION}, |
| - {"context", no_argument, 0, 'Z'}, |
| + {"context", no_argument, 0, CONTEXT_OPTION}, |
| + {"lcontext", no_argument, 0, LCONTEXT_OPTION}, |
| + {"scontext", no_argument, 0, SCONTEXT_OPTION}, |
| {"author", no_argument, NULL, AUTHOR_OPTION}, |
| {GETOPT_HELP_OPTION_DECL}, |
| {GETOPT_VERSION_OPTION_DECL}, |
| @@ -786,12 +795,12 @@ static struct option const long_options[ |
| static char const *const format_args[] = |
| { |
| "verbose", "long", "commas", "horizontal", "across", |
| - "vertical", "single-column", NULL |
| + "vertical", "single-column", "context", NULL |
| }; |
| static enum format const format_types[] = |
| { |
| long_format, long_format, with_commas, horizontal, horizontal, |
| - many_per_line, one_per_line |
| + many_per_line, one_per_line, security_format |
| }; |
| ARGMATCH_VERIFY (format_args, format_types); |
| |
| @@ -1236,7 +1245,7 @@ main (int argc, char **argv) |
| |
| format_needs_stat = sort_type == sort_time || sort_type == sort_size |
| || format == long_format |
| - || print_scontext |
| + || format == security_format || print_scontext |
| || print_block_size; |
| format_needs_type = (! format_needs_stat |
| && (recursive |
| @@ -1267,7 +1276,7 @@ main (int argc, char **argv) |
| } |
| else |
| do |
| - gobble_file (argv[i++], unknown, NOT_AN_INODE_NUMBER, true, ""); |
| + gobble_file (argv[i++], command_line, NOT_AN_INODE_NUMBER, true, ""); |
| while (i < argc); |
| |
| if (cwd_n_used) |
| @@ -1429,7 +1438,7 @@ decode_switches (int argc, char **argv) |
| ignore_mode = IGNORE_DEFAULT; |
| ignore_patterns = NULL; |
| hide_patterns = NULL; |
| - print_scontext = false; |
| + print_scontext = 0; |
| |
| /* FIXME: put this in a function. */ |
| { |
| @@ -1811,13 +1820,27 @@ decode_switches (int argc, char **argv) |
| break; |
| |
| case 'Z': |
| - print_scontext = true; |
| + print_scontext = 1; |
| + format = security_format; |
| break; |
| |
| case_GETOPT_HELP_CHAR; |
| |
| case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS); |
| |
| + case CONTEXT_OPTION: /* default security context format */ |
| + print_scontext = 1; |
| + format = security_format; |
| + break; |
| + case LCONTEXT_OPTION: /* long format plus security context */ |
| + print_scontext = 1; |
| + format = long_format; |
| + break; |
| + case SCONTEXT_OPTION: /* short form of new security format */ |
| + print_scontext = 0; |
| + format = security_format; |
| + break; |
| + |
| default: |
| usage (LS_FAILURE); |
| } |
| @@ -2517,8 +2540,10 @@ clear_files (void) |
| struct fileinfo *f = sorted_file[i]; |
| free (f->name); |
| free (f->linkname); |
| - if (f->scontext != UNKNOWN_SECURITY_CONTEXT) |
| - freecon (f->scontext); |
| + if (f->scontext != UNKNOWN_SECURITY_CONTEXT) { |
| + freecon (f->scontext); |
| + f->scontext = NULL; |
| + } |
| } |
| |
| cwd_n_used = 0; |
| @@ -2560,6 +2585,7 @@ gobble_file (char const *name, enum file |
| memset (f, '\0', sizeof *f); |
| f->stat.st_ino = inode; |
| f->filetype = type; |
| + f->scontext = NULL; |
| |
| if (command_line_arg |
| || format_needs_stat |
| @@ -2659,7 +2685,7 @@ gobble_file (char const *name, enum file |
| |
| f->stat_ok = true; |
| |
| - if (format == long_format || print_scontext) |
| + if (format == long_format || format == security_format || print_scontext) |
| { |
| bool have_acl = false; |
| int attr_len = (do_deref |
| @@ -2667,9 +2694,7 @@ gobble_file (char const *name, enum file |
| f->scontext = xstrdup ("unlabeled"); |
| } |
| |
| - if (err == 0) |
| - have_acl = ! STREQ ("unlabeled", f->scontext); |
| - else |
| + if (err != 0) |
| { |
| f->scontext = UNKNOWN_SECURITY_CONTEXT; |
| |
| @@ -2681,7 +2706,7 @@ gobble_file (char const *name, enum file |
| err = 0; |
| } |
| |
| - if (err == 0 && ! have_acl && format == long_format) |
| + if (err == 0 && format == long_format) |
| { |
| int n = file_has_acl (absolute_name, &f->stat); |
| err = (n < 0); |
| @@ -3255,6 +3281,13 @@ print_current_files (void) |
| print_long_format (sorted_file[i]); |
| DIRED_PUTCHAR ('\n'); |
| } |
| + break; |
| + case security_format: |
| + for (i = 0; i < cwd_n_used; i++) |
| + { |
| + print_scontext_format (sorted_file[i]); |
| + DIRED_PUTCHAR ('\n'); |
| + } |
| break; |
| } |
| } |
| @@ -3481,7 +3514,7 @@ print_long_format (const struct fileinfo |
| The latter is wrong when inode_number_width is zero. */ |
| p += strlen (p); |
| } |
| - |
| + |
| if (print_block_size) |
| { |
| char hbuf[LONGEST_HUMAN_READABLE + 1]; |
| @@ -3510,9 +3543,15 @@ print_long_format (const struct fileinfo |
| The latter is wrong when nlink_width is zero. */ |
| p += strlen (p); |
| |
| + if (print_scontext) |
| + { |
| + sprintf (p, "%-32s ", f->scontext ? f->scontext : ""); |
| + p += strlen (p); |
| + } |
| + |
| DIRED_INDENT (); |
| |
| - if (print_owner | print_group | print_author | print_scontext) |
| + if (print_owner | print_group | print_author) |
| { |
| DIRED_FPUTS (buf, stdout, p - buf); |
| |
| @@ -3525,9 +3564,6 @@ print_long_format (const struct fileinfo |
| if (print_author) |
| format_user (f->stat.st_author, author_width, f->stat_ok); |
| |
| - if (print_scontext) |
| - format_user_or_group (f->scontext, 0, scontext_width); |
| - |
| p = buf; |
| } |
| |
| @@ -3864,9 +3900,6 @@ print_file_name_and_frills (const struct |
| human_readable (ST_NBLOCKS (f->stat), buf, human_output_opts, |
| ST_NBLOCKSIZE, output_block_size)); |
| |
| - if (print_scontext) |
| - printf ("%*s ", format == with_commas ? 0 : scontext_width, f->scontext); |
| - |
| print_name_with_quoting (f->name, FILE_OR_LINK_MODE (f), f->linkok, |
| f->stat_ok, f->filetype, NULL); |
| |
| @@ -4030,9 +4063,6 @@ length_of_file_name_and_frills (const st |
| output_block_size)) |
| : block_size_width); |
| |
| - if (print_scontext) |
| - len += 1 + (format == with_commas ? strlen (f->scontext) : scontext_width); |
| - |
| quote_name (NULL, f->name, filename_quoting_options, &name_width); |
| len += name_width; |
| |
| @@ -4461,9 +4491,16 @@ Mandatory arguments to long options are |
| -w, --width=COLS assume screen width instead of current value\n\ |
| -x list entries by lines instead of by columns\n\ |
| -X sort alphabetically by entry extension\n\ |
| - -Z, --context print any SELinux security context of each file\n\ |
| -1 list one file per line\n\ |
| "), stdout); |
| + fputs(_("\nSELINUX options:\n\n\ |
| + --lcontext Display security context. Enable -l. Lines\n\ |
| + will probably be too wide for most displays.\n\ |
| + -Z, --context Display security context so it fits on most\n\ |
| + displays. Displays only mode, user, group,\n\ |
| + security context and file name.\n\ |
| + --scontext Display only security context and file name.\n\ |
| +"), stdout); |
| fputs (HELP_OPTION_DESCRIPTION, stdout); |
| fputs (VERSION_OPTION_DESCRIPTION, stdout); |
| fputs (_("\n\ |
| @@ -4487,3 +4524,67 @@ Exit status is 0 if OK, 1 if minor probl |
| } |
| exit (status); |
| } |
| + |
| +static void |
| +print_scontext_format (const struct fileinfo *f) |
| +{ |
| + char modebuf[12]; |
| + |
| + /* 7 fields that may require LONGEST_HUMAN_READABLE bytes, |
| + 1 10-byte mode string, |
| + 9 spaces, one following each of these fields, and |
| + 1 trailing NUL byte. */ |
| + |
| + char init_bigbuf[7 * LONGEST_HUMAN_READABLE + 10 + 9 + 1]; |
| + char *buf = init_bigbuf; |
| + size_t bufsize = sizeof (init_bigbuf); |
| + size_t s; |
| + char *p; |
| + const char *fmt; |
| + char *user_name; |
| + char *group_name; |
| + int rv; |
| + char *scontext; |
| + |
| + p = buf; |
| + |
| + if ( print_scontext ) { /* zero means terse listing */ |
| + filemodestring (&f->stat, modebuf); |
| + modebuf[10] = (f->have_acl ? '+' : ' '); |
| + modebuf[11] = '\0'; |
| + |
| + /* print mode */ |
| + |
| + (void) sprintf (p, "%s ", modebuf); |
| + p += strlen (p); |
| + |
| + /* print standard user and group */ |
| + |
| + DIRED_FPUTS (buf, stdout, p - buf); |
| + format_user (f->stat.st_uid, owner_width, f->stat_ok); |
| + format_group (f->stat.st_gid, group_width, f->stat_ok); |
| + p = buf; |
| + } |
| + |
| + (void) sprintf (p, "%-32s ", f->scontext ?: ""); |
| + p += strlen (p); |
| + |
| + DIRED_INDENT (); |
| + DIRED_FPUTS (buf, stdout, p - buf); |
| + print_name_with_quoting (f->name, f->stat.st_mode, f->linkok, |
| + f->stat_ok, f->filetype, &dired_obstack); |
| + |
| + if (f->filetype == symbolic_link) { |
| + if (f->linkname) { |
| + DIRED_FPUTS_LITERAL (" -> ", stdout); |
| + print_name_with_quoting (f->linkname, f->linkmode, f->linkok - 1, |
| + f->stat_ok, f->filetype, NULL); |
| + if (indicator_style != none) |
| + print_type_indicator (f->stat_ok, f->linkmode, f->filetype); |
| + } |
| + } |
| + else { |
| + if (indicator_style != none) |
| + print_type_indicator (f->stat_ok, f->stat.st_mode, f->filetype); |
| + } |
| +} |
| diff -urp coreutils-6.10-orig/src/mkdir.c coreutils-6.10/src/mkdir.c |
| |
| |
| @@ -41,6 +41,7 @@ char *program_name; |
| static struct option const longopts[] = |
| { |
| {GETOPT_SELINUX_CONTEXT_OPTION_DECL}, |
| + {"context", required_argument, NULL, 'Z'}, |
| {"mode", required_argument, NULL, 'm'}, |
| {"parents", no_argument, NULL, 'p'}, |
| {"verbose", no_argument, NULL, 'v'}, |
| @@ -69,8 +70,8 @@ Mandatory arguments to long options are |
| -m, --mode=MODE set file mode (as in chmod), not a=rwx - umask\n\ |
| -p, --parents no error if existing, make parent directories as needed\n\ |
| -v, --verbose print a message for each created directory\n\ |
| - -Z, --context=CTX set the SELinux security context of each created\n\ |
| - directory to CTX\n\ |
| + -Z, --context=CONTEXT set the SELinux security context of each created\n\ |
| + createddirectory to CONTEXT\n\ |
| "), stdout); |
| fputs (HELP_OPTION_DESCRIPTION, stdout); |
| fputs (VERSION_OPTION_DESCRIPTION, stdout); |
| diff -urp coreutils-6.10-orig/src/mkfifo.c coreutils-6.10/src/mkfifo.c |
| |
| |
| @@ -58,7 +58,8 @@ Create named pipes (FIFOs) with the give |
| \n\ |
| "), stdout); |
| fputs (_("\ |
| - -Z, --context=CTX set the SELinux security context of each NAME to CTX\n\ |
| + -Z, --context=CONTEXT set the SELinux security context \n\ |
| + of each NAME to CONTEXT(quoted string)\n\ |
| "), stdout); |
| fputs (_("\ |
| Mandatory arguments to long options are mandatory for short options too.\n\ |
| diff -urp coreutils-6.10-orig/src/mknod.c coreutils-6.10/src/mknod.c |
| |
| |
| @@ -38,7 +38,7 @@ char *program_name; |
| |
| static struct option const longopts[] = |
| { |
| - {GETOPT_SELINUX_CONTEXT_OPTION_DECL}, |
| + {GETOPT_SELINUX_CONTEXT_OPTION_DECL}, |
| {"mode", required_argument, NULL, 'm'}, |
| {GETOPT_HELP_OPTION_DECL}, |
| {GETOPT_VERSION_OPTION_DECL}, |
| @@ -60,7 +60,8 @@ Create the special file NAME of the give |
| \n\ |
| "), stdout); |
| fputs(_("\ |
| - -Z, --context=CTX set the SELinux security context of NAME to CTX\n\ |
| + -Z, --context=CONTEXT set the SELinux security context \n\ |
| + of NAME to CONTEXT(quoted string)\n\ |
| "), stdout); |
| fputs (_("\ |
| Mandatory arguments to long options are mandatory for short options too.\n\ |
| diff -urp coreutils-6.10-orig/src/mv.c coreutils-6.10/src/mv.c |
| |
| |
| @@ -137,6 +137,7 @@ cp_option_init (struct cp_options *x) |
| x->preserve_mode = true; |
| x->preserve_timestamps = true; |
| x->preserve_security_context = selinux_enabled; |
| + x->set_security_context = false; |
| x->require_preserve = false; /* FIXME: maybe make this an option */ |
| x->require_preserve_context = false; |
| x->recursive = true; |
| diff -urp coreutils-6.10-orig/src/stat.c coreutils-6.10/src/stat.c |
| |
| |
| @@ -831,7 +831,7 @@ print_it (char const *format, char const |
| |
| /* Stat the file system and print what we find. */ |
| static bool |
| -do_statfs (char const *filename, bool terse, char const *format) |
| +do_statfs (char const *filename, bool terse, bool secure, char const *format) |
| { |
| STRUCT_STATVFS statfsbuf; |
| |
| @@ -843,15 +843,31 @@ do_statfs (char const *filename, bool te |
| } |
| |
| if (format == NULL) |
| + { |
| + if (terse) |
| { |
| - format = (terse |
| - ? "%n %i %l %t %s %S %b %f %a %c %d\n" |
| - : " File: \"%n\"\n" |
| - " ID: %-8i Namelen: %-7l Type: %T\n" |
| - "Block size: %-10s Fundamental block size: %S\n" |
| - "Blocks: Total: %-10b Free: %-10f Available: %a\n" |
| - "Inodes: Total: %-10c Free: %d\n"); |
| + if (secure) |
| + format = "%n %i %l %t %s %S %b %f %a %c %d %C\n"; |
| + else |
| + format = "%n %i %l %t %s %S %b %f %a %c %d\n"; |
| } |
| + else |
| + { |
| + if (secure) |
| + format = " File: \"%n\"\n" |
| + " ID: %-8i Namelen: %-7l Type: %T\n" |
| + "Block size: %-10s Fundamental block size: %S\n" |
| + "Blocks: Total: %-10b Free: %-10f Available: %a\n" |
| + "Inodes: Total: %-10c Free: %d\n" |
| + " S_Context: %C\n"; |
| + else |
| + format = " File: \"%n\"\n" |
| + " ID: %-8i Namelen: %-7l Type: %T\n" |
| + "Block size: %-10s Fundamental block size: %S\n" |
| + "Blocks: Total: %-10b Free: %-10f Available: %a\n" |
| + "Inodes: Total: %-10c Free: %d\n"; |
| + } |
| + } |
| |
| print_it (format, filename, print_statfs, &statfsbuf); |
| return true; |
| @@ -859,7 +875,7 @@ do_statfs (char const *filename, bool te |
| |
| /* stat the file and print what we find */ |
| static bool |
| -do_stat (char const *filename, bool terse, char const *format) |
| +do_stat (char const *filename, bool terse, bool secure, char const *format) |
| { |
| struct stat statbuf; |
| |
| @@ -872,9 +888,12 @@ do_stat (char const *filename, bool ters |
| if (format == NULL) |
| { |
| if (terse) |
| - { |
| - format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n"; |
| - } |
| + { |
| + if (secure) |
| + format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o %C\n"; |
| + else |
| + format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n"; |
| + } |
| else |
| { |
| /* Temporary hack to match original output until conditional |
| @@ -891,12 +910,22 @@ do_stat (char const *filename, bool ters |
| } |
| else |
| { |
| - format = |
| - " File: %N\n" |
| - " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n" |
| - "Device: %Dh/%dd\tInode: %-10i Links: %h\n" |
| - "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n" |
| - "Access: %x\n" "Modify: %y\n" "Change: %z\n"; |
| + if (secure) |
| + format = |
| + " File: %N\n" |
| + " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n" |
| + "Device: %Dh/%dd\tInode: %-10i Links: %-5h" |
| + " Device type: %t,%T\n" |
| + "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n" |
| + " S_Context: %C\n" |
| + "Access: %x\n" "Modify: %y\n" "Change: %z\n"; |
| + else |
| + format = |
| + " File: %N\n" |
| + " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n" |
| + "Device: %Dh/%dd\tInode: %-10i Links: %h\n" |
| + "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n" |
| + "Access: %x\n" "Modify: %y\n" "Change: %z\n"; |
| } |
| } |
| } |
| @@ -917,6 +946,7 @@ usage (int status) |
| Display file or file system status.\n\ |
| \n\ |
| -L, --dereference follow links\n\ |
| + -Z, --context print the SELinux security context \n\ |
| -f, --file-system display file system status instead of file status\n\ |
| "), stdout); |
| fputs (_("\ |
| @@ -1001,6 +1031,7 @@ main (int argc, char *argv[]) |
| int i; |
| bool fs = false; |
| bool terse = false; |
| + bool secure = false; |
| char *format = NULL; |
| bool ok = true; |
| |
| @@ -1040,9 +1071,13 @@ main (int argc, char *argv[]) |
| terse = true; |
| break; |
| |
| - case 'Z': /* FIXME: remove in 2010, warn in mid 2008 */ |
| - /* Ignored, for compatibility with distributions |
| - that implemented this before upstream. */ |
| + case 'Z': |
| + if((is_selinux_enabled()>0)) |
| + secure = 1; |
| + else { |
| + error (0, 0, _("Kernel is not SELinux enabled")); |
| + usage (EXIT_FAILURE); |
| + } |
| break; |
| |
| case_GETOPT_HELP_CHAR; |
| @@ -1062,8 +1097,8 @@ main (int argc, char *argv[]) |
| |
| for (i = optind; i < argc; i++) |
| ok &= (fs |
| - ? do_statfs (argv[i], terse, format) |
| - : do_stat (argv[i], terse, format)); |
| + ? do_statfs (argv[i], terse, secure, format) |
| + : do_stat (argv[i], terse, secure, format)); |
| |
| exit (ok ? EXIT_SUCCESS : EXIT_FAILURE); |
| } |
| diff -urp coreutils-6.10-orig/tests/misc/selinux coreutils-6.10/tests/misc/selinux |
| |
| |
| @@ -32,12 +32,10 @@ chcon $ctx f d p 2>/dev/null || { |
| |
| # inspect that context with both ls -Z and stat. |
| for i in d f p; do |
| - c=`ls -dogZ $i|cut -d' ' -f3`; test x$c = x$ctx || fail=1 |
| + c=`ls -dogZ $i|cut -d' ' -f5`; test x$c = x$ctx || fail=1 |
| c=`stat --printf %C $i`; test x$c = x$ctx || fail=1 |
| done |
| |
| -# ensure that ls -l output includes the "+". |
| -c=`ls -l f|cut -c11`; test "$c" = + || fail=1 |
| |
| # Copy each to a new directory and ensure that context is preserved. |
| cp -r --preserve=all d f p s1 || fail=1 |