From 6e289bb7bf3dc6abc9b2c46f809e83512c9f5db4 Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Sun, 7 May 2017 12:05:54 +0100 Subject: [PATCH] policycoreutils: fixfiles: remove bad modes of "relabel" command * `fixfiles -B relabel` or `fixfiles -C previouscontext relabel` would skip the code that handles e.g. `/var/tmp`, which would be run by `fixfiles relabel`. It would still remove all files in /tmp (subject to user confirmation). This is confusing, undocumented, and unlikely to be intentional. * `fixfiles relabel path1 path2` is the same, except it would only relabel the first path. * `fixfiles -R ... relabel` was equivalent to `fixfiles -R ... restore`, again contradicting the man page. Also `fixfiles onboot` would ignore paths, -C, or -R. fixfiles is mostly for users, where it should be acceptable to remove these non-sensical combinations. `fixfiles -C` is used in selinux-policy rpm install scripts. However I believe the rpms used `fixfiles -C previouscontext restore`, and did not either require user interaction or blow away /tmp without prompting. So they should still work fine. With these combinations removed, we can remove the `exit` calls which were seen in some of the (non-error) code paths in `restore()`. Signed-off-by: Alan Jenkins --- policycoreutils/scripts/fixfiles | 26 +++++++++++++++----------- policycoreutils/scripts/fixfiles.8 | 7 +++++-- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index df70b277..ce4a01a9 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -216,11 +216,11 @@ shift case "$RESTORE_MODE" in PREFC) diff_filecontext $* - exit $? + return ;; BOOTTIME) newer $BOOTTIME $* - exit $? + return ;; esac @@ -234,11 +234,9 @@ case "$RESTORE_MODE" in for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do rpmlist $i | ${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} $* -R -i -f - done - exit $? ;; FILEPATH) ${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" - return # to loop over each FILEPATH ;; DEFAULT) if [ -n "${FILESYSTEMSRW}" ]; then @@ -261,7 +259,6 @@ case "$RESTORE_MODE" in find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; [ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; - exit 0 ;; esac } @@ -269,17 +266,19 @@ esac fullrelabel() { echo "Cleaning out /tmp" find /tmp/ -mindepth 1 -delete - LogReadOnly restore Relabel } + relabel() { - if [ "$RESTORE_MODE" == RPMFILES ]; then - restore Relabel + if [ "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 fi if [ $fullFlag == 1 ]; then fullrelabel + return fi echo -n " @@ -306,6 +305,10 @@ case "$1" in verify) restore Verify -n;; relabel) relabel;; onboot) + if [ "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 + fi > /.autorelabel [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel @@ -320,9 +323,11 @@ esac } usage() { echo $""" -Usage: $0 [-v] [-F] { check | restore | [-f] relabel | verify } dir/file ... +Usage: $0 [-v] [-F] [-f] relabel or -Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | [-f] relabel | verify } +Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } +or +Usage: $0 [-v] [-F] { check | restore | verify } dir/file ... or Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } or @@ -408,4 +413,3 @@ else process "$command" fi -exit $? diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 7a00bc38..9f447f03 100644 --- a/policycoreutils/scripts/fixfiles.8 +++ b/policycoreutils/scripts/fixfiles.8 @@ -6,10 +6,13 @@ fixfiles \- fix file SELinux security contexts. .na .B fixfiles -.I [\-v] [\-F] { check | restore | [\-f] relabel | verify } dir/file ... +.I [\-v] [\-F] [\-f] relabel .B fixfiles -.I [\-v] [\-F] [\-B | \-N time ] { check | restore | [\-f] relabel | verify } +.I [\-v] [\-F] { check | restore | verify } dir/file ... + +.B fixfiles +.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify } .B fixfiles .I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }