On Thu, Apr 7, 2011 at 5:53 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
I include two simple patch (-p1 were fixfiles and fixfiles.8 live) for adding a conf file that contain the directory to skip for relabel. I have followed your advice for the conf path. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This file should not be in /, I think it would be better to put it in
On 04/07/2011 11:47 AM, Elia Pinto wrote:
> From: Elia Pinto <yersinia.spiros@xxxxxxxxx>
>
> This patch permit fixfiles to check /.autorelabel_excluded
> for a list of directories to exclude from relabelling.
>
> Inspired by this blog http://danwalsh.livejournal.com/38157.html.
>
> Signed-off-by: Elia Pinto <yersinia.spiros@xxxxxxxxx>
> ---
> policycoreutils/scripts/fixfiles | 44 ++++++++++++++++++++++++++++++++---
> policycoreutils/scripts/fixfiles.8 | 2 +
> 2 files changed, 42 insertions(+), 4 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index ae519fc..ba4d4b1 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -28,6 +28,7 @@ FORCEFLAG=""
> DIRS=""
> RPMILES=""
> LOGFILE=`tty`
> +FINDEXCLUDEDPATH=""
> if [ $? != 0 ]; then
> LOGFILE="/dev/null"
> fi
> @@ -46,6 +47,24 @@ else
> FC=/etc/security/selinux/file_contexts
> fi
>
> +# Add an excluded path for the following
> +# find in the function restore, relabel
> +
> +if [ -e /.autorelabel_excluded ]
> +then
> + while read _p
> + do
> + # skip blank line and comment
> + # skip not absolute path
> + # skip not directory
> + [ -z "${_p}" ] && continue
> + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
> + [[ ! "${_p}" =~ "^/.*" ]] && continue
> + [[ ! -d "${_p}" ]] && continue
> + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
> + done < /.autorelabel_excluded
> +fi
> +
> #
> # Log to either syslog or a LOGFILE
> #
> @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> fi; \
> done | \
> while read pattern ; do sh -c "find $pattern \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
> \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
> done 2> /dev/null | \
> ${RESTORECON} $* -0 -f -
> @@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
> fi
> if [ ! -z "$FILEPATH" ]; then
> if [ -x /usr/bin/find ]; then
> + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from relabelling"
> /usr/bin/find "$FILEPATH" \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
> ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
> else
> ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
> @@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
> fi
> [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
> LogReadOnly
> -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
> -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
> +#
> +#
> +# "<<none>>" '/md/distro?(/.*)?'
> +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
> +test -z "$TEMPFILE" && exit
> +cp -p ${FC} ${TEMPFILE}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
> +for _p in $FINDEXCLUDEDPATH
> +do
> + _p="${_p%/}"
> + _p1="${_p}(/.*)? -- <<none>>"
> + echo "${_p1}" >> $TEMPFILE
> + logit "skipping the directory ${_p} from relabelling"
> +done
> +
> +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
> +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
> find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
> exit $?
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index dfe8aa9..865aab4 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
> as you expect. By default it will relabel all mounted ext2, ext3, xfs and
> jfs file systems as long as they do not have a security context mount
> option. You can use the -R flag to use rpmpackages as an alternative.
> +The file /.autorelabel_exclude can contain a list of directory path
> +that fixfiles don't relabel.
> .P
> .B fixfiles onboot
> will setup the machine to relabel on the next reboot.
/etc/selinux
I have attached the current Fedora fixfiles. Which has some similar fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2d3hQACgkQrlYvE4MpobNgYACg4hHDc5kgHLVPdfjb2KmytGNY
rggAn0INl+1Mf5odXoUq5rJQR6FT/RzD
=KAVX
-----END PGP SIGNATURE-----
Developed with the version contained in policycoreutils-2.0.85-27.fc15.x86_64 (fc15 last update).
Best Regards
Attachment:
fixfiles.patch
Description: Binary data
Attachment:
fixfiles.8.patch
Description: Binary data
