On Thu, 01 Jul 2004 08:14:09 EDT, Daniel J Walsh <dwalsh@xxxxxxxxxx> said:
> Todays policycoreutils has a new cron job, fixfiles.cron, that will run
> in /etc/cron.daily. This script will run a check on the file system on
Currently, fixfiles does some interesting grepping through the mounts
to only work on R/W mounts. This has 2 problems when run on a system
that has many filesystems mounted with some combo of ro/nosuid/nodev/noexec:
1) It's possible for the sysadmin to not realize that fixfiles isn't
relabelling a filesystem because it's R/O (note that this problem is
shared by the 'make relabel' target in /etc/selinux/*/src/policy/Makefile).
2) If we're only checking, we should do R/O filesystems as well - the fact
that they're R/O when the cronjob runs doesn't mean that they weren't R/W
and picked up some bad labels at some previous time.
Lightly tested patch:
--- /sbin/fixfiles.dist 2004-06-30 13:40:47.000000000 -0400
+++ /sbin/fixfiles 2004-07-05 04:53:24.000000000 -0400
@@ -30,9 +30,12 @@ rpmFlag=0
rpmFiles=""
outfileFlag=0
OUTFILES=""
+logfileFlag=0
LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX` || exit 1
SETFILES=/usr/sbin/setfiles
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';`
+FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
+FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
+FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
@@ -60,7 +63,11 @@ if [ ! -z "$1" ]; then
rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
done
else
- ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+ if [ "x$FILESYSTEMSRO" != "x" ]; then
+ echo "Warning: Skipping the following R/O filesystems:"
+ echo "$FILESYSTEMSRO"
+ fi
+ ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
fi
}
@@ -73,7 +80,11 @@ if [ ! -z "$1" ]; then
rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
done
else
- ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+ if [ "x$FILESYSTEMSRO" != "x" ]; then
+ echo "Warning: Skipping the following R/O filesystems:"
+ echo "$FILESYSTEMSRO"
+ fi
+ ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
fi
}
relabelCheck() {
Attachment:
pgpBcqzMIUxWw.pgp
Description: PGP signature
