diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 5d777034..30dadb4f 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -112,6 +112,7 @@ FORCEFLAG="" RPMFILES="" PREFC="" RESTORE_MODE="" +BIND_MOUNT_FILESYSTEMS="" SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` @@ -243,7 +244,23 @@ case "$RESTORE_MODE" in if [ -n "${FILESYSTEMSRW}" ]; then LogReadOnly echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" - ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} + + if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} + else + # we bind mount so we can fix the labels of files that have already been + # mounted over + for m in `echo $FILESYSTEMSRW`; do + TMP_MOUNT="$(mktemp -d)" + test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1 + + mkdir -p "${TMP_MOUNT}${m}" || exit 1 + mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" + umount "${TMP_MOUNT}${m}" || exit 1 + rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." + done; + fi else echo >&2 "fixfiles: No suitable file systems found" fi @@ -313,6 +330,7 @@ case "$1" in > /.autorelabel || exit $? [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel + [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel # Force full relabel if SELinux is not enabled selinuxenabled || echo -F > /.autorelabel echo "System will relabel on next boot" @@ -324,7 +342,7 @@ esac } usage() { echo $""" -Usage: $0 [-v] [-F] [-f] relabel +Usage: $0 [-v] [-F] [-M] [-f] relabel or Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } or @@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } or Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } or -Usage: $0 [-F] [-B] onboot +Usage: $0 [-F] [-M] [-B] onboot """ } @@ -353,7 +371,7 @@ set_restore_mode() { } # See how we were called. -while getopts "N:BC:FfR:l:v" i; do +while getopts "N:BC:FfR:l:vM" i; do case "$i" in B) BOOTTIME=`/bin/who -b | awk '{print $3}'` @@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do echo "Redirecting output to $OPTARG" exec >>"$OPTARG" 2>&1 ;; + M) + BIND_MOUNT_FILESYSTEMS="-M" + ;; F) FORCEFLAG="-F" ;; diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 9f447f03..12342530 100644 --- a/policycoreutils/scripts/fixfiles.8 +++ b/policycoreutils/scripts/fixfiles.8 @@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts. .na .B fixfiles -.I [\-v] [\-F] [\-f] relabel +.I [\-v] [\-F] [-M] [\-f] relabel .B fixfiles .I [\-v] [\-F] { check | restore | verify } dir/file ... @@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts. .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } .B fixfiles -.I [-F] [-B] onboot +.I [-F] [-M] [-B] onboot .ad @@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and Only act on files created after the specified date. Date must be specified in "YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command. +.TP +.B \-M +Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over. + .TP .B -v Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)