Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling

[Elia Pinto <andronicus.spiros@xxxxxxxxx>]

Sorry there was a typo, i will repost shortly. Please ignore this patch

2011/4/7 Elia Pinto <andronicus.spiros@xxxxxxxxx>

From: Elia Pinto <yersinia.spiros@xxxxxxxxx>

This patch permit fixfiles to check /.autorelabel_excluded
for a list of directories to exclude from relabelling.

Inspired by this blog http://danwalsh.livejournal.com/38157.html.

Signed-off-by: Elia Pinto <yersinia.spiros@xxxxxxxxx>
---
 policycoreutils/scripts/fixfiles   |   45 ++++++++++++++++++++++++++++++++---
 policycoreutils/scripts/fixfiles.8 |    2 +
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ae519fc..2a39d74 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -28,6 +28,7 @@ FORCEFLAG=""
 DIRS=""
 RPMILES=""
 LOGFILE=`tty`
+FINDEXCLUDEDPATH=""
 if [ $? != 0 ]; then
    LOGFILE="/dev/null"
 fi
@@ -46,6 +47,24 @@ else
    FC=/etc/security/selinux/file_contexts
 fi

+# Add an excluded path for the following
+# find in the function restore, relabel
+
+if [ -e /.autorelabel_excluded ]
+then
+       while read _p
+       do
+          # skip blank line and comment
+          # skip not absolute path
+          # skip not directory
+          [ -z "${_p}" ] && continue
+          [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
+          [[ ! "${_p}" =~ "^/.*" ]] && continue
+          [[ ! -d "${_p}" ]] && continue
+         FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
+       done < /.autorelabel_excluded
+fi
+
 #
 # Log to either syslog or a LOGFILE
 #
@@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
               fi; \
            done | \
       while read pattern ; do sh -c "find $pattern \
-                     ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev  -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune  -o \
+                     ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev  -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune  -o \
                     \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
                     done 2> /dev/null | \
        ${RESTORECON} $* -0 -f -
@@ -115,6 +134,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
 # if called with -n will only check file context
 #
 restore () {
+set -x
 if [ ! -z "$PREFC" ]; then
    diff_filecontext $*
    exit $?
@@ -127,8 +147,9 @@ if [ ! -z "$RPMFILES" ]; then
 fi
 if [ ! -z "$FILEPATH" ]; then
    if [ -x /usr/bin/find ]; then
+        loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from relabelling"
       /usr/bin/find "$FILEPATH" \
-           ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune  -o -print0 | \
+           ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune  -o -print0 | \
           ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
    else
       ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
@@ -137,8 +158,24 @@ if [ ! -z "$FILEPATH" ]; then
 fi
 [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
 LogReadOnly
-${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+#
+#
+# "<<none>>" '/md/distro?(/.*)?'
+TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
+test -z "$TEMPFILE" && exit
+cp -p ${FC} ${TEMPFILE}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
+for _p in $FINDEXCLUDEDPATH
+do
+       _p="${_p%/}"
+       _p1="${_p}(/.*)? -- <<none>>"
+       echo "${_p1}" >> $TEMPFILE
+        logit "skipping the directory ${_p} from relabelling"
+done
+
+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
 find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
 find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
 exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index dfe8aa9..865aab4 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or  just check whether the file contexts are all
 as you expect.  By default it will relabel all mounted ext2, ext3, xfs and
 jfs file systems as long as they do not have a security context mount
 option.  You can use the -R flag to use rpmpackages as an alternative.
+The file /.autorelabel_exclude can contain a list of directory path
+that fixfiles don't relabel.
 .P
 .B fixfiles onboot
 will setup the machine to relabel on the next reboot.
--
1.7.2.1.44.g721e7