policycoreutils: fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs

Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a list of directories which should not be relabeled. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-07-10 14:14:14 +02:00 · 2011-07-10 14:14:14 +02:00 · 275560b2a3
parent 5e096d9ceb
commit 275560b2a3
2 changed files with 50 additions and 1 deletions
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@ -20,6 +20,35 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+exclude_dirs_from_relabelling() {
+    exclude_from_relabelling=
+    if [ -e /etc/selinux/fixfiles_exclude_dirs ]
+    then
+        while read i
+        do
+          # skip blank line and comment
+          # skip not absolute path
+          # skip not directory
+          [ -z "${i}" ] && continue
+          [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+          [[ ! "${i}" =~ ^/.* ]] && continue
+          [[ ! -d "${i}" ]] && continue
+          exclude_from_relabelling="$exclude_from_relabelling -e $i"
+          logit "skipping the directory $i from relabelling"
+        done < /etc/selinux/fixfiles_exclude_dirs
+    fi
+    echo "$exclude_from_relabelling"
+}
+
+exclude_dirs() {
+    exclude=
+    for i in /home /root /tmp /dev; do
+        [ -e $i ]  && exclude="$exclude -e $i";
+    done
+    exclude="$exclude `exclude_dirs_from_relabelling`"
+    echo "$exclude"
+}
+
 #
 # Set global Variables
 #
@ -133,8 +162,26 @@ if [ ! -z "$FILEPATH" ]; then
 fi
 [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
 LogReadOnly
+#
+exclude_dirs="`exclude_dirs_from_relabelling`"
+if [ -n "${exclude_dirs}" ]
+then
+	TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+	test -z "$TEMPFCFILE" && exit
+	/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+	exclude_dirs=${exclude_dirs//-e/}
+	for p in ${exclude_dirs}
+	do
+		p="${p%/}"
+		p1="${p}(/.*)? -- <<none>>"
+		echo "${p1}" >> $TEMPFCFILE
+		logit "skipping the directory ${p} from relabelling"
+	done
+FC=$TEMPFCFILE
+fi
 ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+
 find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
 find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
 find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@ -29,6 +29,8 @@ new policy, or  just check whether the file contexts are all
 as you expect.  By default it will relabel all mounted ext2, ext3, xfs and 
 jfs file systems as long as they do not have a security context mount 
 option.  You can use the -R flag to use rpmpackages as an alternative.
+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
+excluded from relabelling.
 .P
 .B fixfiles onboot 
 will setup the machine to relabel on the next reboot.