Move call to logit() outside a function which has its output redirected.
See next commit for explanation.
The logit calls are moved into a new function LogExcluded(), similar to
LogReadOnly(). I don't see a pretty way to resolve this, so I just went
for the most explicit approach I could think of.
Behaviour change: diff_filecontext will now log *all* excluded paths.
I think that approach is an improvement, because e.g. the fact that `-C`
mode excludes `/home` was not previouslly documented anywhere.
The LogReadOnly() call which warns the user about R/O filesystems, applies
to the `-B` mode (newer() function), and the `fixfiles check` mode
(no paths).
Make sure to print it for these modes, and these modes only.
The usage of exclude_dirs() is non-obvious.
It turns out it is only used by the `-C` mode of fixfiles. The other four
modes use the narrower list generated by exclude_dirs_from_relabelling().
Let's make this distinction more obvious.
(The purpose of the extra exclusions is not clear. E.g. there's an
exclusion for /dev. Whereas the `fixfiles check` mode explicitly tells you
that it's going to relabel /dev, without causing any problem. Maybe that
part is out of date? But without some explanation of the list, I don't
want to change anything!)
setfiles is now run with $exclude_dirs.
We shouldn't need to patch the file contexts as well.
This is fortunate, since the file context patching code was broken
(by the same commit which introduced the redundancy). It takes the
list of directories to exclude from $tempdirs, but $tempdirs is
never set.
Also messages about skipping directories were printed twice. Firstly when
exclude_dirs is generated, and secondly in the file context patching code.
Also TEMPFCFILE was only removed in one path out of several.
This reverts commit ac7899fc3a,
which is not yet part of an officially tagged release
(or release candidate).
`LOGFILE=/proc/self/fd/1` was wrong.
`LOGFILE=$(tty)` was being relied on in one case (exclude_dirs),
to log messages from a function run specifically with stdout redirected
(captured into a variable).
Having `logit "message"` break inside redirected functions
is a nasty leaky abstraction.
This caused e.g. `fixfiles restore` to terminate early with the error
skipping: No such file or directory
if the user had configured any excluded paths in
/etc/selinux/fixfiles_exclude_dirs
Don't force output through a pipe - let them access the TTY.
When run interactively, this acts as a workaround for
"Output of fixfiles gets garbled?"
https://bugzilla.redhat.com/show_bug.cgi?id=1435894
E.g. it would also be useful if restorecon ever decides it doesn't want to
output backspace characters on non-TTY outputs.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
I accidently ran `fixfiles "a b"` during testing. Let's fix this too.
Before:
/sbin/fixfiles: line 394: [: a: binary operator expected
Usage: ...
After:
Usage: ...
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
E.g. `fixfiles restore -v /usr` - before:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Progress and Verbose mutually exclusive
usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname...
usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k
after:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(-v) failed: No such file or directory
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
229k
This matches the usage shown in the manual page. While we're in there,
we should handle spaces as well e.g `fixfiles restore "a b"`. Before:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(b) failed: No such file or directory
After:
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
/sbin/restorecon: lstat(a b) failed: No such file or directory
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
fixfiles was redirecting log output to `tty`. This overrides user intent
e.g. when shell redirection is used.
Redirect it to stdout, using /proc. `tty` equally depended on /proc.
We do not depend on /dev/stdout: it might not be present, if a rescue
system is booted with devtmpfs (no udev daemon).
By default, log messages were redirected into the void when not run from a
tty. We consider this a bug, which is now fixed.
1. If calling scripts happen to require the old behaviour, they can easily
write the same code themselves.
2. When fixfiles is run from Fedora's selinux-autorelabel.service,
the calling script is specifically run from a tty.
Also Fedora's calling script chooses to redirect stdout and stderr to
/dev/null. This redirection will now suceed, improving the transparency
of the code. The previous behaviour may be obtained by choosing not
to redirect the progress messages of this long-running process to
/dev/null. A patch has been submitted to Fedora to suggest this novel
approach: https://bugzilla.redhat.com/show_bug.cgi?id=1415674
Complete disclosure:
* Remove unused variable LOGGER.
* Fix logfiles containing spaces.
Disclaimer:
1. "Log" output may contain escape sequences (backspace?) e.g. in
`fixfiles -l log.txt restore`. This is not the usual understanding
of a log file.
2. For some reason, not all informative messages are sent to `-l` e.g.
the list of filesystems, and "cleaning up labels on /tmp".
3. `function logit` is retained, but the logfile is also written to
outside this function. Implementing support for the system log
would require another function which accepts piped input.
Also see point 1.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Fix missing and surplus commas. Fix the following formatting errors:
.BR selinux(8)
renders the the "(8)" in bold as well as the "selinux". This is wrong.
.B selinux
(8)
renders with a space between "selinux" and "(8)", this is wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
-n was not being passed down to restorecon properly in the code path
for -C and -N
Patch-by: Dan Callaghan <dcallagh@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The commit 7574a50f tried to improve compatibility with Python 3. It changed
the code to use subprocess.getstatusoutput() instead of
commands.getstatusoutput(). Unfortunately subprocess.getstatusoutput() is not
available in Python 2. This patch changes how getstatusoutput() is imported so
the code works on Python 2 and Python 3.
Fixes:
$ chcat -d something
Traceback (most recent call last):
File "/usr/bin/chcat", line 432, in <module>
sys.exit(chcat_replace(["s0"], cmds, login_ind))
File "/usr/bin/chcat", line 271, in chcat_replace
rc = subprocess.getstatusoutput(cmd)
AttributeError: 'module' object has no attribute 'getstatusoutput'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Install gettext the same way everywhere and have fallbacks to use
str/unicode depending on python version.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Some teminal emulators (like the latest version of gnome-terminal) are
not setting entries in the utmp file, this leads getlogin() to return an
empty string.
Fallback to the name of the user running the chcat process.
When trying to get policycoreutils working in python3, I kept running
into TabErrors:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
context = "%s%s" % (filler, raw)
^
TabError: inconsistent use of tabs and spaces in indentation
Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two. When fixing this, I took the chance to fix
other PEP8 style issues at the same time.
This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)
The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.
Signed-off-by: Jason Zaman <jason@perfinion.com>
- __builtin__ module has been renamed to "builtins" in Python 3
- use reserved word `as` in try-except
- replace print statement with print function
- migrate from commands to subprocess
- fix formatting
Signed-off-by: Michal Srb <msrb@redhat.com>
Fix check for seclabel flag.
Restorecon commands should always use FORCEFLAG command if passed in.
Found a bug in handling of regex difference
All restorecon commands should use the exclude file path call.
Only cleanup /tmp on a Full Relabel, not a Check.
Set BOOTIME flag in /.autorelabel file, so that we can only relabel
files created since this time. Should speed up relabel.
Turn verbose on for full relabel
Add check to see if / has a label, if not then force a full relabel.
Add ability to record OPTIONS into the the /.autorelabel file.
fixfiles -F onboot
writes out /.autorelabel with -F
fixfiles -B onboot
writes on /autorelaebl with -N BOOTDATE recorded.
The goal is to allow boot up sequence that sees /.autorelabel to hand any
options store in it, to fixfiles restore
OPTIONS=`cat /.autorelabel`
fixfiles $OPTIONS restore
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
This patch started with work from John Reiser patch to estimate the
percent progress for restorecon/setfiles.
It has a lot of changes since then, to make it only happen on full
relabel, overwrite itself, shows 10ths of %, and does a lot better and
more useful job of estimation. We get all of the inodes on all mounted
FS. Since the number of inodes is not fixed and only an estimate I added
5% to the inode number, and forced the number to never go over 100.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
It dynamically creates the policycoreutils "genhomedircon"
script during the build process in order not to hard-code
the full path to the semodule executable, as in general the
latter could reside in non-standard SBINDIR/USRSBINDIR
locations.
It might not be very stylish or it might appear cumbersome,
but at least the script should not break as easily as the
current static one.
The patch also edits the Makefile for the scripts so that
LOCALEDIR correctly uses $(PREFIX) rather than an absolute
path.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Fixfiles restore is called by auditrelabel, and was happening early in
the boot process, before the syslog system was up and running. A bug
in systemd was causing relabels to take forever, while it waited for
the syslog's to complete. This was fixed, but I still see no reason
to write thousands/millions of lines to syslog on a badly mislabled
machine and wanted this featured turned off.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
- improves the manual page for both setfiles and restorecon (formatting
including alphabetical re-ordering of options, undocumented options,
references and a few cosmetic changes);
- de-hardcodes a couple of constants in the source files and makes a
dynamic use of them to create the manual pages after the compilation
and prior to the installation: more specifically the constants are the
number of errors for the setfiles' validation process abort condition
and the sensitivity of the progress meter for both programs (uses
external programs grep and awk);
- improves the usage message for both programs and introduces a -h
(aliased with currently existing -?) option where not already
available;
- print out the usage message for restorecon when it is called without
arguments;
- white-space/tab conversion to get proper indentation towards the end
of the main source file.
[eparis add .gitignore]
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
The following patch aims to improve the manual page (section 8) for the
"genhomedircon" script (policycoreutils).
- remove probably redundant GNU licence notice;
- try to further clarify the functionality made available by the
"genhomedircon" script as well as all the configurable options that
control its execution and affect its behavior;
- extend the references section (SEE ALSO).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Only run setfiles if we have a R/W filesystem
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch removes /root from the excluded dirs.
This also adds /var/lib/BackupPC to list of directories to ignore
labeling. Mainly because this directory tends to be Huge and causes a
huge spike in the amount of time it takes to relabel. Especially if
there is a relabel caused by a policy update.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We had a number of places where fixfiles would search for or set hard
coded types. If policy used something other than tmp_t var_t file_t or
unlabeled_t we would go wrong. This patch does 2 things. It uses the
kernel provided selinuxfs interfaces to determine the label on unlabeled
and unknown files and it uses the --reference option with chcon to set
new labels.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The type of a filesystem (ext*, btrfs, etc) really doesn't matter when
it comes to the ability to set labels. Stop trying to be smart and just
call restorecon. It will either work or it won't and out heuristic
isn't helping.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling. Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We do this so we can eliminate foolish avcs about restorecon trying to
write to a random directory. We allow apps to communicate with fds
globably. So this allows the access no AVC's I am happy
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In the old fixfiles we had to make sure we only attempted to relabel
files that were on file systems that supported extended attributes.
With the new restorecon, we no longer need this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
clean up /var/run and /var/lib/debug just like we do for /tmp and
/var/tmp since they can easily get unlabeled files.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We cannot reasonably relabel pipes and sockets in /tmp to tmp_t so just
delete them instead of trying to put and unuable label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fixfiles uses a find command then than pipes that to rm -f. Just use
the find delete predicate instead of causing all of those extra calls to
rm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix the page to point to the the seusers file, not the seuser file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux pythons applications should not allow the user to change the
sys.path
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
