From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001 From: bauen1 Date: Thu, 6 Aug 2020 16:48:36 +0200 Subject: [PATCH] fixfiles: correctly restore context of mountpoints By bind mounting every filesystem we want to relabel we can access all files without anything hidden due to active mounts. This comes at the cost of user experience, because setfiles only displays the percentage if no path is given or the path is / Signed-off-by: Jonathan Hettwer Acked-by: Stephen Smalley --- policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++---- policycoreutils/scripts/fixfiles.8 | 8 ++++++-- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 5d777034..30dadb4f 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -112,6 +112,7 @@ FORCEFLAG="" RPMFILES="" PREFC="" RESTORE_MODE="" +BIND_MOUNT_FILESYSTEMS="" SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` @@ -243,7 +244,23 @@ case "$RESTORE_MODE" in if [ -n "${FILESYSTEMSRW}" ]; then LogReadOnly echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" - ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} + + if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} + else + # we bind mount so we can fix the labels of files that have already been + # mounted over + for m in `echo $FILESYSTEMSRW`; do + TMP_MOUNT="$(mktemp -d)" + test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1 + + mkdir -p "${TMP_MOUNT}${m}" || exit 1 + mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" + umount "${TMP_MOUNT}${m}" || exit 1 + rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." + done; + fi else echo >&2 "fixfiles: No suitable file systems found" fi @@ -313,6 +330,7 @@ case "$1" in > /.autorelabel || exit $? [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel + [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel # Force full relabel if SELinux is not enabled selinuxenabled || echo -F > /.autorelabel echo "System will relabel on next boot" @@ -324,7 +342,7 @@ esac } usage() { echo $""" -Usage: $0 [-v] [-F] [-f] relabel +Usage: $0 [-v] [-F] [-M] [-f] relabel or Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } or @@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } or Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } or -Usage: $0 [-F] [-B] onboot +Usage: $0 [-F] [-M] [-B] onboot """ } @@ -353,7 +371,7 @@ set_restore_mode() { } # See how we were called. -while getopts "N:BC:FfR:l:v" i; do +while getopts "N:BC:FfR:l:vM" i; do case "$i" in B) BOOTTIME=`/bin/who -b | awk '{print $3}'` @@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do echo "Redirecting output to $OPTARG" exec >>"$OPTARG" 2>&1 ;; + M) + BIND_MOUNT_FILESYSTEMS="-M" + ;; F) FORCEFLAG="-F" ;; diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 9f447f03..12342530 100644 --- a/policycoreutils/scripts/fixfiles.8 +++ b/policycoreutils/scripts/fixfiles.8 @@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts. .na .B fixfiles -.I [\-v] [\-F] [\-f] relabel +.I [\-v] [\-F] [-M] [\-f] relabel .B fixfiles .I [\-v] [\-F] { check | restore | verify } dir/file ... @@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts. .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } .B fixfiles -.I [-F] [-B] onboot +.I [-F] [-M] [-B] onboot .ad @@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and Only act on files created after the specified date. Date must be specified in "YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command. +.TP +.B \-M +Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over. + .TP .B -v Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)