Valdis.Kletnieks@xxxxxx wrote:
On Thu, 01 Jul 2004 08:14:09 EDT, Daniel J Walsh <dwalsh@xxxxxxxxxx> said:
Todays policycoreutils has a new cron job, fixfiles.cron, that will run in /etc/cron.daily. This script will run a check on the file system on
Currently, fixfiles does some interesting grepping through the mounts to only work on R/W mounts. This has 2 problems when run on a system that has many filesystems mounted with some combo of ro/nosuid/nodev/noexec:
1) It's possible for the sysadmin to not realize that fixfiles isn't relabelling a filesystem because it's R/O (note that this problem is shared by the 'make relabel' target in /etc/selinux/*/src/policy/Makefile).
2) If we're only checking, we should do R/O filesystems as well - the fact that they're R/O when the cronjob runs doesn't mean that they weren't R/W and picked up some bad labels at some previous time.
Lightly tested patch:
--- /sbin/fixfiles.dist 2004-06-30 13:40:47.000000000 -0400 +++ /sbin/fixfiles 2004-07-05 04:53:24.000000000 -0400 @@ -30,9 +30,12 @@ rpmFlag=0 rpmFiles="" outfileFlag=0 OUTFILES="" +logfileFlag=0 LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX` || exit 1 SETFILES=/usr/sbin/setfiles -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';` +FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';` +FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';` +FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then @@ -60,7 +63,11 @@ if [ ! -z "$1" ]; then rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE done else - ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE + if [ "x$FILESYSTEMSRO" != "x" ]; then + echo "Warning: Skipping the following R/O filesystems:" + echo "$FILESYSTEMSRO" + fi + ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE fi }
@@ -73,7 +80,11 @@ if [ ! -z "$1" ]; then
rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
done
else
- ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+ if [ "x$FILESYSTEMSRO" != "x" ]; then
+ echo "Warning: Skipping the following R/O filesystems:"
+ echo "$FILESYSTEMSRO"
+ fi
+ ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
fi
}
relabelCheck() {
Added to fixfiles.
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
