RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-07 05:59:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Lots of fixes for fixfiles

Browse Source 
Fix check for seclabel flag.
Restorecon commands should always use FORCEFLAG command if passed in.
Found a bug in handling of regex difference
All restorecon commands should use the exclude file path call.
Only cleanup /tmp on a Full Relabel, not a Check.
Set BOOTIME flag in /.autorelabel file, so that we can only relabel
files created since this time.  Should speed up relabel.
This commit is contained in:
Dan Walsh 2013-10-09 17:43:52 -04:00 committed by Stephen Smalley
parent e63a8fa875
commit 2910ca2185
1 changed files with 84 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
policycoreutils/scripts/fixfiles
View File

@ -3,7 +3,7 @@
# #
# Script to restore labels on a SELinux box # Script to restore labels on a SELinux box
# #
# Copyright (C) 2004-2011 Red Hat, Inc. # Copyright (C) 2004-2013 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com> # Authors: Dan Walsh <dwalsh@redhat.com>
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
@ -26,11 +26,11 @@
# number if the current is less than 2.6.30 and 0 if they are the same. # number if the current is less than 2.6.30 and 0 if they are the same.
# #
function useseclabel { function useseclabel {
VER=`uname -r` VER=`uname -r`
SUP=2.6.30 SUP=2.6.30
expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
'(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
'(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
} }
# #
@ -85,18 +85,18 @@ exclude_dirs_from_relabelling() {
exclude_from_relabelling= exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ] if [ -e /etc/selinux/fixfiles_exclude_dirs ]
then then
while read i while read i
do do
# skip blank line and comment # skip blank line and comment
# skip not absolute path # skip not absolute path
# skip not directory # skip not directory
[ -z "${i}" ] && continue [ -z "${i}" ] && continue
[[ "${i}" =~ "^[[:blank:]]*#" ]] && continue [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
[[ ! "${i}" =~ ^/.* ]] && continue [[ ! "${i}" =~ ^/.* ]] && continue
[[ ! -d "${i}" ]] && continue [[ ! -d "${i}" ]] && continue
exclude_from_relabelling="$exclude_from_relabelling -e $i" exclude_from_relabelling="$exclude_from_relabelling -e $i"
logit "skipping the directory $i from relabelling" logit "skipping the directory $i"
done < /etc/selinux/fixfiles_exclude_dirs done < /etc/selinux/fixfiles_exclude_dirs
fi fi
echo "$exclude_from_relabelling" echo "$exclude_from_relabelling"
} }
@ -104,7 +104,7 @@ exclude_dirs_from_relabelling() {
exclude_dirs() { exclude_dirs() {
exclude= exclude=
for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
[ -e $i ] && exclude="$exclude -e $i"; [ -e $i ] && exclude="$exclude -e $i";
done done
exclude="$exclude `exclude_dirs_from_relabelling`" exclude="$exclude `exclude_dirs_from_relabelling`"
echo "$exclude" echo "$exclude"
@ -115,7 +115,6 @@ exclude_dirs() {
# #
fullFlag=0 fullFlag=0
BOOTTIME="" BOOTTIME=""
FORCEFLAG=""
VERBOSE="-p" VERBOSE="-p"
FORCEFLAG="" FORCEFLAG=""
DIRS="" DIRS=""
@ -152,7 +151,7 @@ fi
newer() { newer() {
DATE=$1 DATE=$1
for m in `echo $FILESYSTEMSRW`; do for m in `echo $FILESYSTEMSRW`; do
find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${VERBOSE} -i -0 -f - find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f -
done; done;
} }
@ -172,24 +171,25 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
grep '^[<>]'|cut -c3-| grep ^/ | \ grep '^[<>]'|cut -c3-| grep ^/ | \
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
sed -r -e 's,[[:blank:]].*,,g' \ sed -r -e 's,[[:blank:]].*,,g' \
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \ -e 's|([/[:alnum:]])\?|{\1,}|g' \
-e 's|\?.*|*|g' \ -e 's|\?.*|*|g' \
-e 's|\{.*|*|g' \
-e 's|\(.*|*|g' \ -e 's|\(.*|*|g' \
-e 's|\[.*|*|g' \ -e 's|\[.*|*|g' \
-e 's|\.\*.*|*|g' \ -e 's|\.\*.*|*|g' \
-e 's|\.\+.*|*|g' | \ -e 's|\.\+.*|*|g' | \
# These two sorts need to be separate commands \ # These two sorts need to be separate commands \
sort -u | \ sort -u | \
sort -d | \ sort -d | \
while read pattern ; \ while read pattern ; \
do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \ do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
echo "$pattern"; \ echo "$pattern"; \
case "$pattern" in *"*") \ case "$pattern" in *"*") \
echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
esac; \ esac; \
fi; \ fi; \
done | \ done | \
${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE} rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi fi
@ -214,6 +214,9 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
# if called with -n will only check file context # if called with -n will only check file context
# #
restore () { restore () {
OPTION=$1
shift
if [ ! -z "$PREFC" ]; then if [ ! -z "$PREFC" ]; then
diff_filecontext $* diff_filecontext $*
exit $? exit $?
@ -222,41 +225,45 @@ if [ ! -z "$BOOTTIME" ]; then
newer $BOOTTIME newer $BOOTTIME
exit $? exit $?
fi fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
${RESTORECON} ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
return
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly LogReadOnly
# #
exclude_dirs="`exclude_dirs_from_relabelling`" exclude_dirs="`exclude_dirs_from_relabelling $OPTION`"
if [ -n "${exclude_dirs}" ] if [ -n "${exclude_dirs}" ]
then then
TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFCFILE" && exit test -z "$TEMPFCFILE" && exit
/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
exclude_dirs=${exclude_dirs//-e/} tmpdirs=${tempdirs//-e/}
for p in ${exclude_dirs} for p in ${tmpdirs}
do do
p="${p%/}" p="${p%/}"
p1="${p}(/.*)? -- <<none>>" p1="${p}(/.*)? -- <<none>>"
echo "${p1}" >> $TEMPFCFILE echo "${p1}" >> $TEMPFCFILE
logit "skipping the directory ${p} from relabelling" logit "skipping the directory ${p}"
done done
FC=$TEMPFCFILE FC=$TEMPFCFILE
fi fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
return
fi
if [ -n "${FILESYSTEMSRW}" ]; then if [ -n "${FILESYSTEMSRW}" ]; then
echo "Relabeling `echo ${FILESYSTEMSRW}`" echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
${SETFILES} ${VERBOSE} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
else else
echo >&2 "fixfiles: No suitable file systems found" echo >&2 "fixfiles: No suitable file systems found"
fi fi
if [ ${OPTION} != "Relabel" ]; then
return
fi
echo "Cleaning up labels on /tmp"
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
UNDEFINED=`get_undefined_type` || exit $? UNDEFINED=`get_undefined_type` || exit $?
@ -265,20 +272,20 @@ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -typ
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; [ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
exit $? exit 0
} }
fullrelabel() { fullrelabel() {
logit "Cleaning out /tmp" logit "Cleaning out /tmp"
find /tmp/ -mindepth 1 -delete find /tmp/ -mindepth 1 -delete
LogReadOnly LogReadOnly
restore restore Relabel
} }
relabel() { relabel() {
if [ ! -z "$RPMFILES" ]; then if [ ! -z "$RPMFILES" ]; then
restore restore Relabel
fi fi
if [ $fullFlag == 1 ]; then if [ $fullFlag == 1 ]; then
@ -295,7 +302,7 @@ relabel() {
if [ "$answer" = y -o "$answer" = Y ]; then if [ "$answer" = y -o "$answer" = Y ]; then
fullrelabel fullrelabel
else else
restore restore Relabel
fi fi
} }
@ -304,9 +311,9 @@ process() {
# Make sure they specified one of the three valid commands # Make sure they specified one of the three valid commands
# #
case "$1" in case "$1" in
restore) restore;; restore) restore Relabel;;
check) restore -n -v;; check) VERBOSE="-v"; restore Check -n;;
verify) restore -n -o -;; verify) restore Verify -n -o -;;
relabel) relabel;; relabel) relabel;;
onboot) onboot)
> /.autorelabel > /.autorelabel
@ -322,14 +329,14 @@ case "$1" in
esac esac
} }
usage() { usage() {
echo $""" echo $"""
Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] Usage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or or
Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
or or
Usage: $0 [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or or
Usage: $0 onboot Usage: $0 [-F] [-B] onboot
""" """
} }
@ -343,7 +350,6 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in case "$i" in
B) B)
BOOTTIME=`/bin/who -b | awk '{print $3}'` BOOTTIME=`/bin/who -b | awk '{print $3}'`
echo $BOOTTIME
;; ;;
f) f)
fullFlag=1 fullFlag=1
@ -351,13 +357,13 @@ while getopts "N:BC:FfR:l:v" i; do
v) v)
VERBOSE="-v" VERBOSE="-v"
;; ;;
R) R)
RPMFILES=$OPTARG RPMFILES=$OPTARG
;; ;;
l) l)
LOGFILE=$OPTARG LOGFILE=$OPTARG
;; ;;
C) C)
PREFC=$OPTARG PREFC=$OPTARG
;; ;;
F) F)
@ -371,7 +377,6 @@ while getopts "N:BC:FfR:l:v" i; do
exit 1 exit 1
esac esac
done done
# Move out processed options from arguments # Move out processed options from arguments
shift $(( OPTIND - 1 )) shift $(( OPTIND - 1 ))
@ -401,7 +406,7 @@ else
FILEPATH=$1 FILEPATH=$1
process $command process $command
shift shift
done done
fi fi
fi fi
exit $? exit $?