RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-08 06:30:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Lots of fixes for fixfiles

Browse Source 
Fix check for seclabel flag.
Restorecon commands should always use FORCEFLAG command if passed in.
Found a bug in handling of regex difference
All restorecon commands should use the exclude file path call.
Only cleanup /tmp on a Full Relabel, not a Check.
Set BOOTIME flag in /.autorelabel file, so that we can only relabel
files created since this time.  Should speed up relabel.
This commit is contained in:
Dan Walsh 2013-10-09 17:43:52 -04:00 committed by Stephen Smalley
parent e63a8fa875
commit 2910ca2185
1 changed files with 84 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
policycoreutils/scripts/fixfiles
View File

@ -3,7 +3,7 @@
# #
# Script to restore labels on a SELinux box # Script to restore labels on a SELinux box
# #
# Copyright (C) 2004-2011 Red Hat, Inc. # Copyright (C) 2004-2013 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com> # Authors: Dan Walsh <dwalsh@redhat.com>
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
@ -95,7 +95,7 @@ exclude_dirs_from_relabelling() {
[[ ! "${i}" =~ ^/.* ]] && continue [[ ! "${i}" =~ ^/.* ]] && continue
[[ ! -d "${i}" ]] && continue [[ ! -d "${i}" ]] && continue
exclude_from_relabelling="$exclude_from_relabelling -e $i" exclude_from_relabelling="$exclude_from_relabelling -e $i"
logit "skipping the directory $i from relabelling" logit "skipping the directory $i"
done < /etc/selinux/fixfiles_exclude_dirs done < /etc/selinux/fixfiles_exclude_dirs
fi fi
echo "$exclude_from_relabelling" echo "$exclude_from_relabelling"
@ -115,7 +115,6 @@ exclude_dirs() {
# #
fullFlag=0 fullFlag=0
BOOTTIME="" BOOTTIME=""
FORCEFLAG=""
VERBOSE="-p" VERBOSE="-p"
FORCEFLAG="" FORCEFLAG=""
DIRS="" DIRS=""
@ -152,7 +151,7 @@ fi
newer() { newer() {
DATE=$1 DATE=$1
for m in `echo $FILESYSTEMSRW`; do for m in `echo $FILESYSTEMSRW`; do
find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${VERBOSE} -i -0 -f - find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f -
done; done;
} }
@ -175,6 +174,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \ -e 's|([/[:alnum:]])\?|{\1,}|g' \
-e 's|\?.*|*|g' \ -e 's|\?.*|*|g' \
-e 's|\{.*|*|g' \
-e 's|\(.*|*|g' \ -e 's|\(.*|*|g' \
-e 's|\[.*|*|g' \ -e 's|\[.*|*|g' \
-e 's|\.\*.*|*|g' \ -e 's|\.\*.*|*|g' \
@ -214,6 +214,9 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
# if called with -n will only check file context # if called with -n will only check file context
# #
restore () { restore () {
OPTION=$1
shift
if [ ! -z "$PREFC" ]; then if [ ! -z "$PREFC" ]; then
diff_filecontext $* diff_filecontext $*
exit $? exit $?
@ -222,41 +225,45 @@ if [ ! -z "$BOOTTIME" ]; then
newer $BOOTTIME newer $BOOTTIME
exit $? exit $?
fi fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
${RESTORECON} ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
return
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly LogReadOnly
# #
exclude_dirs="`exclude_dirs_from_relabelling`" exclude_dirs="`exclude_dirs_from_relabelling $OPTION`"
if [ -n "${exclude_dirs}" ] if [ -n "${exclude_dirs}" ]
then then
TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFCFILE" && exit test -z "$TEMPFCFILE" && exit
/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
exclude_dirs=${exclude_dirs//-e/} tmpdirs=${tempdirs//-e/}
for p in ${exclude_dirs} for p in ${tmpdirs}
do do
p="${p%/}" p="${p%/}"
p1="${p}(/.*)? -- <<none>>" p1="${p}(/.*)? -- <<none>>"
echo "${p1}" >> $TEMPFCFILE echo "${p1}" >> $TEMPFCFILE
logit "skipping the directory ${p} from relabelling" logit "skipping the directory ${p}"
done done
FC=$TEMPFCFILE FC=$TEMPFCFILE
fi fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
return
fi
if [ -n "${FILESYSTEMSRW}" ]; then if [ -n "${FILESYSTEMSRW}" ]; then
echo "Relabeling `echo ${FILESYSTEMSRW}`" echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
${SETFILES} ${VERBOSE} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
else else
echo >&2 "fixfiles: No suitable file systems found" echo >&2 "fixfiles: No suitable file systems found"
fi fi
if [ ${OPTION} != "Relabel" ]; then
return
fi
echo "Cleaning up labels on /tmp"
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
UNDEFINED=`get_undefined_type` || exit $? UNDEFINED=`get_undefined_type` || exit $?
@ -265,20 +272,20 @@ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -typ
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; [ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
exit $? exit 0
} }
fullrelabel() { fullrelabel() {
logit "Cleaning out /tmp" logit "Cleaning out /tmp"
find /tmp/ -mindepth 1 -delete find /tmp/ -mindepth 1 -delete
LogReadOnly LogReadOnly
restore restore Relabel
} }
relabel() { relabel() {
if [ ! -z "$RPMFILES" ]; then if [ ! -z "$RPMFILES" ]; then
restore restore Relabel
fi fi
if [ $fullFlag == 1 ]; then if [ $fullFlag == 1 ]; then
@ -295,7 +302,7 @@ relabel() {
if [ "$answer" = y -o "$answer" = Y ]; then if [ "$answer" = y -o "$answer" = Y ]; then
fullrelabel fullrelabel
else else
restore restore Relabel
fi fi
} }
@ -304,9 +311,9 @@ process() {
# Make sure they specified one of the three valid commands # Make sure they specified one of the three valid commands
# #
case "$1" in case "$1" in
restore) restore;; restore) restore Relabel;;
check) restore -n -v;; check) VERBOSE="-v"; restore Check -n;;
verify) restore -n -o -;; verify) restore Verify -n -o -;;
relabel) relabel;; relabel) relabel;;
onboot) onboot)
> /.autorelabel > /.autorelabel
@ -323,13 +330,13 @@ esac
} }
usage() { usage() {
echo $""" echo $"""
Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] Usage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or or
Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
or or
Usage: $0 [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or or
Usage: $0 onboot Usage: $0 [-F] [-B] onboot
""" """
} }
@ -343,7 +350,6 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in case "$i" in
B) B)
BOOTTIME=`/bin/who -b | awk '{print $3}'` BOOTTIME=`/bin/who -b | awk '{print $3}'`
echo $BOOTTIME
;; ;;
f) f)
fullFlag=1 fullFlag=1
@ -371,7 +377,6 @@ while getopts "N:BC:FfR:l:v" i; do
exit 1 exit 1
esac esac
done done
# Move out processed options from arguments # Move out processed options from arguments
shift $(( OPTIND - 1 )) shift $(( OPTIND - 1 ))