From 275560b2a380a5f34041fd4569a38791f25aa195 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Sun, 10 Jul 2011 14:14:14 +0200 Subject: [PATCH] policycoreutils: fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a list of directories which should not be relabeled. Signed-off-by: Eric Paris Acked-by: Dan Walsh --- policycoreutils/scripts/fixfiles | 49 +++++++++++++++++++++++++++++- policycoreutils/scripts/fixfiles.8 | 2 ++ 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index fa285eae..205c51fc 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -20,6 +20,35 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +exclude_dirs_from_relabelling() { + exclude_from_relabelling= + if [ -e /etc/selinux/fixfiles_exclude_dirs ] + then + while read i + do + # skip blank line and comment + # skip not absolute path + # skip not directory + [ -z "${i}" ] && continue + [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue + [[ ! "${i}" =~ ^/.* ]] && continue + [[ ! -d "${i}" ]] && continue + exclude_from_relabelling="$exclude_from_relabelling -e $i" + logit "skipping the directory $i from relabelling" + done < /etc/selinux/fixfiles_exclude_dirs + fi + echo "$exclude_from_relabelling" +} + +exclude_dirs() { + exclude= + for i in /home /root /tmp /dev; do + [ -e $i ] && exclude="$exclude -e $i"; + done + exclude="$exclude `exclude_dirs_from_relabelling`" + echo "$exclude" +} + # # Set global Variables # @@ -133,8 +162,26 @@ if [ ! -z "$FILEPATH" ]; then fi [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon LogReadOnly +# +exclude_dirs="`exclude_dirs_from_relabelling`" +if [ -n "${exclude_dirs}" ] +then + TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` + test -z "$TEMPFCFILE" && exit + /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit + exclude_dirs=${exclude_dirs//-e/} + for p in ${exclude_dirs} + do + p="${p%/}" + p1="${p}(/.*)? -- <>" + echo "${p1}" >> $TEMPFCFILE + logit "skipping the directory ${p} from relabelling" + done +FC=$TEMPFCFILE +fi ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE + find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index dfe8aa97..0b4cbaaa 100644 --- a/policycoreutils/scripts/fixfiles.8 +++ b/policycoreutils/scripts/fixfiles.8 @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all as you expect. By default it will relabel all mounted ext2, ext3, xfs and jfs file systems as long as they do not have a security context mount option. You can use the -R flag to use rpmpackages as an alternative. +The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories +excluded from relabelling. .P .B fixfiles onboot will setup the machine to relabel on the next reboot.