RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

policycoreutils: fixfiles: deprecate -l option 

...and write log messages to standard output.

Some versions of fixfiles in 2004 created a logfile by default.
Apparently they also used `tee` to log to standard output at the same time.
We're also told that the logfile was implemented because there was too
much output generated for use on a tty, and it scrolled out of reach.

https://bugzilla.redhat.com/show_bug.cgi?id=131707

In the current version, none of these original reasons for `-l` remain.

The logfile is not created by default.  If no log file is specified,
messages are written to stdin [sic]... if and only stdin is a tty.  If
stdin is not a tty, the log defaults to /dev/null.

When a user runs fixfiles on a tty and finds there is too much output, she
is likely to try redirecting standard output and/or standard error using
the shell.  She will find this doesn't help, because fixfiles is writing
the verbose log messages to standard input.

I tried to fix the problem non-intrusively, by changing the default log
file to `/dev/stdout`.  Sadly, this breaks down where you have
`echo >>$LOGFILE "Log message"` inside a specific function, which is run
with output redirected in order to "return" a string value (captured
into a variable).  exclude_dirs_from_relabelling() was such a function.

I was trying to abstract over writing to both normal files and stdout, but
my abstraction "leaks" in a non-obvious way.

There is a simple solution.  We can write the log messages to standard
output.  When we are passed `-l` by a legacy script, we can redirect
standard output to the logfile.

This removes any distinctions between the logfile and "non-log" messages.
Some calls to restorecon were missing redirections to the log file.
"Cleaning out /tmp" was written to the log file, but "Cleaning out labels
on /tmp" was not.  There were no comments to explain these distinctions.
This commit is contained in:
Alan Jenkins 2017-05-04 18:01:22 +01:00 committed by James Carter
parent 48d425e7c6
commit 8e9c9a20cb
1 changed files with 12 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
policycoreutils/scripts/fixfiles
View File

@ -109,11 +109,6 @@ VERBOSE="-p"
FORCEFLAG="" FORCEFLAG=""
DIRS="" DIRS=""
RPMILES="" RPMILES=""
LOGFILE=`tty`
if [ $? != 0 ]; then
LOGFILE="/dev/null"
fi
LOGGER=/usr/sbin/logger
SETFILES=/sbin/setfiles SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts` FILESYSTEMSRW=`get_rw_labeled_mounts`
@ -127,22 +122,13 @@ else
FC=/etc/security/selinux/file_contexts FC=/etc/security/selinux/file_contexts
fi fi
#
# Log to either syslog or a LOGFILE
#
logit () {
if [ -n $LOGFILE ]; then
echo $1 >> $LOGFILE
fi
}
# #
# Log all Read Only file systems # Log all Read Only file systems
# #
LogReadOnly() { LogReadOnly() {
if [ ! -z "$FILESYSTEMSRO" ]; then if [ ! -z "$FILESYSTEMSRO" ]; then
logit "Warning: Skipping the following R/O filesystems:" echo "Warning: Skipping the following R/O filesystems:"
logit "$FILESYSTEMSRO" echo "$FILESYSTEMSRO"
fi fi
} }
@ -151,7 +137,7 @@ fi
# #
LogExcluded() { LogExcluded() {
for i in ${EXCLUDEDIRS//-e / }; do for i in ${EXCLUDEDIRS//-e / }; do
logit "skipping the directory $i" echo "skipping the directory $i"
done done
} }
@ -240,18 +226,18 @@ LogExcluded
if [ ! -z "$RPMFILES" ]; then if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} $* -R -i -f - >>$LOGFILE 2>&1 rpmlist $i | ${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} $* -R -i -f -
done done
exit $? exit $?
fi fi
if [ ! -z "$FILEPATH" ]; then if [ ! -z "$FILEPATH" ]; then
${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" >>$LOGFILE 2>&1 ${RESTORECON} ${EXCLUDEDIRS} ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH"
return return
fi fi
if [ -n "${FILESYSTEMSRW}" ]; then if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} >>$LOGFILE 2>&1 ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW}
else else
echo >&2 "fixfiles: No suitable file systems found" echo >&2 "fixfiles: No suitable file systems found"
fi fi
@ -272,7 +258,7 @@ exit 0
} }
fullrelabel() { fullrelabel() {
logit "Cleaning out /tmp" echo "Cleaning out /tmp"
find /tmp/ -mindepth 1 -delete find /tmp/ -mindepth 1 -delete
LogReadOnly LogReadOnly
restore Relabel restore Relabel
@ -325,9 +311,9 @@ esac
} }
usage() { usage() {
echo $""" echo $"""
Usage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] Usage: $0 [-v] [-F] [-N time ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or or
Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
or or
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or or
@ -356,7 +342,9 @@ while getopts "N:BC:FfR:l:v" i; do
RPMFILES=$OPTARG RPMFILES=$OPTARG
;; ;;
l) l)
LOGFILE=$OPTARG # Old scripts use obsolete option `-l logfile`
echo "Redirecting output to $OPTARG"
exec >>"$OPTARG" 2>&1
;; ;;
C) C)
PREFC=$OPTARG PREFC=$OPTARG