mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 15:32:07 +00:00
Patch setfiles to only warn if add_remove fails to lstat on user initiated excludes.
On Tue, 2009-08-11 at 08:12 -0400, Daniel J Walsh wrote: > On 08/10/2009 04:12 PM, Stephen Smalley wrote: > > On Mon, 2009-08-10 at 16:03 -0400, Stephen Smalley wrote: > >> On Mon, 2009-08-10 at 11:13 -0400, Daniel J Walsh wrote: > >>> Currently in F12 if you have file systems that root can not read > >>> > >>> # restorecon -R -v /var/lib/libvirt/ > >>> Can't stat directory "/home/dwalsh/.gvfs", Permission denied. > >>> Can't stat directory "/home/dwalsh/redhat", Permission denied. > >>> > >>> After patch > >>> > >>> # ./restorecon -R -v /var/lib/libvirt/ > >> > >> But if you were to run > >> ./restorecon -R /home/dwalsh > >> that would try to descend into .gvfs and redhat, right? > >> > >> I think you want instead to ignore the lstat error if the error was > >> permission denied and add the entry to the exclude list so that > >> restorecon will not try to descend into it. It is ok to exclude a > >> directory to which you lack permission. Try this: > > > > Also, why limit -e to only directories? Why not let the user exclude > > individual files if they choose to do so? In which case we could drop > > the mode test altogether, and possibly drop the lstat() call altogether? > > Or if you truly want to warn the user about non-existent paths, then > > take the lstat() and warning to the 'e' option processing in main() > > instead of doing it inside of add_exclude(). > > > I agree lets remove the directory check and warn on non existing files. Does this handle it correctly for you? Remove the directory check for the -e option and only apply the existence test to user-specified entries. Also ignore permission denied errors as it is ok to exclude a directory or file to which the caller lacks permission. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
0fb9c99a4d
commit
b0c1077c34
@ -236,25 +236,13 @@ void filespec_destroy(void)
|
||||
|
||||
static int add_exclude(const char *directory)
|
||||
{
|
||||
struct stat sb;
|
||||
size_t len = 0;
|
||||
|
||||
if (directory == NULL || directory[0] != '/') {
|
||||
fprintf(stderr, "Full path required for exclude: %s.\n",
|
||||
directory);
|
||||
return 1;
|
||||
}
|
||||
if (lstat(directory, &sb)) {
|
||||
fprintf(stderr, "Can't stat directory \"%s\", %s.\n",
|
||||
directory, strerror(errno));
|
||||
return 0;
|
||||
}
|
||||
if ((sb.st_mode & S_IFDIR) == 0) {
|
||||
fprintf(stderr,
|
||||
"\"%s\" is not a Directory: mode %o, ignoring\n",
|
||||
directory, sb.st_mode);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (excludeCtr == MAX_EXCLUDES) {
|
||||
fprintf(stderr, "Maximum excludes %d exceeded.\n",
|
||||
MAX_EXCLUDES);
|
||||
@ -840,6 +828,11 @@ int main(int argc, char **argv)
|
||||
}
|
||||
case 'e':
|
||||
remove_exclude(optarg);
|
||||
if (lstat(optarg, &sb) < 0 && errno != EACCES) {
|
||||
fprintf(stderr, "Can't stat exclude path \"%s\", %s - ignoring.\n",
|
||||
optarg, strerror(errno));
|
||||
break;
|
||||
}
|
||||
if (add_exclude(optarg))
|
||||
exit(1);
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user