RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-18 10:36:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

policycoreutils: fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs

Browse Source 
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Eric Paris 2011-07-10 14:14:14 +02:00
parent 5e096d9ceb
commit 275560b2a3
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
policycoreutils/scripts/fixfiles
View File

@ -20,6 +20,35 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
exclude_dirs_from_relabelling() {
exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ]
then
while read i
do
# skip blank line and comment
# skip not absolute path
# skip not directory
[ -z "${i}" ] && continue
[[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
[[ ! "${i}" =~ ^/.* ]] && continue
[[ ! -d "${i}" ]] && continue
exclude_from_relabelling="$exclude_from_relabelling -e $i"
logit "skipping the directory $i from relabelling"
done < /etc/selinux/fixfiles_exclude_dirs
fi
echo "$exclude_from_relabelling"
}
exclude_dirs() {
exclude=
for i in /home /root /tmp /dev; do
[ -e $i ] && exclude="$exclude -e $i";
done
exclude="$exclude `exclude_dirs_from_relabelling`"
echo "$exclude"
}
# #
# Set global Variables # Set global Variables
# #
@ -133,8 +162,26 @@ if [ ! -z "$FILEPATH" ]; then
fi fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly LogReadOnly
#
exclude_dirs="`exclude_dirs_from_relabelling`"
if [ -n "${exclude_dirs}" ]
then
TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFCFILE" && exit
/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
exclude_dirs=${exclude_dirs//-e/}
for p in ${exclude_dirs}
do
p="${p%/}"
p1="${p}(/.*)? -- <<none>>"
echo "${p1}" >> $TEMPFCFILE
logit "skipping the directory ${p} from relabelling"
done
FC=$TEMPFCFILE
fi
${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;

2
policycoreutils/scripts/fixfiles.8
View File

@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative. option. You can use the -R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
excluded from relabelling.
.P .P
.B fixfiles onboot .B fixfiles onboot
will setup the machine to relabel on the next reboot. will setup the machine to relabel on the next reboot.