diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h index b10fe684eff91788a9d36b4e5529dfa3964a0d8e..688ab9df4090b4e62a1bc10dabde0eb8e2aeb7f1 100644 --- a/libselinux/include/selinux/restorecon.h +++ b/libselinux/include/selinux/restorecon.h @@ -126,6 +126,11 @@ extern int selinux_restorecon_parallel(const char *pathname, */ #define SELINUX_RESTORECON_COUNT_ERRORS 0x20000 +/* + * Count, but otherwise ignore, errors during the file tree walk. + */ +#define SELINUX_RESTORECON_LABEL_DATA_APP_EL 0x40000 + /** * selinux_restorecon_set_sehandle - Set the global fc handle. * @hndl: specifies handle to set as the global fc handle. diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index dea3adbcb69198519ea6527ed456c5db998df631..abbba50201dfbba08af251d92f6ca2a87b29d7a2 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -87,6 +87,7 @@ struct rest_flags { bool warnonnomatch; bool conflicterror; bool count_errors; + bool labelDataAppEl; }; static void restorecon_init(void) @@ -639,11 +640,12 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi bool updated = false; const char *lookup_path = pathname; float pc; - if (!strncmp(pathname, DATA_APP_EL1, sizeof(DATA_APP_EL1) - 1) || + /* support to re-label subfolder under data/app/el2/ when labelDataAppEl is true */ + if (!flags->labelDataAppEl && (!strncmp(pathname, DATA_APP_EL1, sizeof(DATA_APP_EL1) - 1) || !strncmp(pathname, DATA_APP_EL2, sizeof(DATA_APP_EL2) - 1) || !strncmp(pathname, DATA_APP_EL3, sizeof(DATA_APP_EL3) - 1) || !strncmp(pathname, DATA_APP_EL4, sizeof(DATA_APP_EL4) - 1) || - !strncmp(pathname, DATA_ACCOUNTS_ACCOUNT_0, sizeof(DATA_ACCOUNTS_ACCOUNT_0) - 1)) { + !strncmp(pathname, DATA_ACCOUNTS_ACCOUNT_0, sizeof(DATA_ACCOUNTS_ACCOUNT_0) - 1))) { goto out; } if (rootpath) { @@ -1054,6 +1056,8 @@ static int selinux_restorecon_common(const char *pathname_orig, state.flags.count_errors = (restorecon_flags & SELINUX_RESTORECON_COUNT_ERRORS) ? true : false; state.setrestorecondigest = true; + state.flags.labelDataAppEl = (restorecon_flags & + SELINUX_RESTORECON_LABEL_DATA_APP_EL) ? true : false; state.head = NULL; state.current = NULL;