fixfiles: correctly restore context of mountpoints

By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.

This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /

Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

policycoreutils/scripts/fixfiles

@@ -112,6 +112,7 @@ FORCEFLAG=""
 RPMFILES=""
 PREFC=""
 RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
 SETFILES=/sbin/setfiles
 RESTORECON=/sbin/restorecon
 FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
 	if [ -n "${FILESYSTEMSRW}" ]; then
 	    LogReadOnly
 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
-	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+	    else
+	        # we bind mount so we can fix the labels of files that have already been
+	        # mounted over
+	        for m in `echo $FILESYSTEMSRW`; do
+	            TMP_MOUNT="$(mktemp -d)"
+	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
+	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+	            umount "${TMP_MOUNT}${m}" || exit 1
+	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+	        done;
+	    fi
 	else
 	    echo >&2 "fixfiles: No suitable file systems found"
 	fi
@@ -313,6 +330,7 @@ case "$1" in
 	> /.autorelabel || exit $?
 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
 	# Force full relabel if SELinux is not enabled
 	selinuxenabled || echo -F > /.autorelabel
 	echo "System will relabel on next boot"
@@ -324,7 +342,7 @@ esac
 }
 usage() {
 	echo $"""
-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
 or
 Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
 or
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
 or
 Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
 or
-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
 """
 }
 
@@ -353,7 +371,7 @@ set_restore_mode() {
 }
 
 # See how we were called.
-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
     case "$i" in
 	B)
 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
 		echo "Redirecting output to $OPTARG"
 		exec >>"$OPTARG" 2>&1
 		;;
+	M)
+		BIND_MOUNT_FILESYSTEMS="-M"
+		;;
 	F)
 		FORCEFLAG="-F"
 		;;

policycoreutils/scripts/fixfiles.8

@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
 .na
 
 .B fixfiles
-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
 
 .B fixfiles
 .I [\-v] [\-F] { check | restore | verify } dir/file ...
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
 .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
 
 .B fixfiles
-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
 
 .ad
 
@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
 Only act on files created after the specified date.  Date must be specified in
 "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
 
+.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
+
 .TP
 .B -v
 Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)