Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 04 Aug 2011 16:26:35 -0400

On 08/04/2011 03:33 PM, Stephen Smalley wrote:
> On Thu, 2011-08-04 at 13:59 -0400, Eric Paris wrote:
>> well I guess [selinuxfs]/initial_contexts/unlabeled works for the 
>> first part, but how to come up with the lib_t/var_t I don't
>> know.... more initial sids   :)
> 
> chcon --reference=/lib ... chcon --reference=/var ...
> 
> Or: chcon `matchpathcon /lib` ...
> 
> 
	

How about this patch...

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6de710a..9c1e6dd 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -21,6 +21,31 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 #
+# Get the default label returned from the kernel for a file with a lable the 
+# kernel does not understand
+#
+get_undefined_type() {
+    if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then
+	UNKNOWN_LABEL=`cat /sys/fs/selinux/initial_contexts/unlabeled`
+    else
+	UNKNOWN_LABEL=`cat /selinux/initial_contexts/unlabeled`
+    fi
+    secon -t $UNKNOWN_LABEL
+}
+
+#
+# Get the default label for a file without a label
+#
+get_unlabeled_type() {
+    if [ -e /sys/fs/selinux/initial_contexts/unlabeled ]; then
+	NOLABEL=`cat /sys/fs/selinux/initial_contexts/file`
+    else
+	NOLABEL=`cat /selinux/initial_contexts/file`
+    fi
+    secon -t $NOLABEL
+}
+
+#
 # Get all mount points that support seclabel
 #
 get_all_labeled_mounts() {
@@ -200,11 +225,13 @@ fi
 ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
 
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
+undefined=`get_undefined_type`
+unlabeled=`get_unlabeled_type`
+find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) \( -type s -o -type p \) -delete
+find /tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /tmp {} \;
+find /var/tmp \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/tmp {} \;
+find /var/run \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /var/run {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${unlabeled}*" -o -context "*:${undefined}*" \) -exec chcon --reference /lib {} \;
 exit $?
 }
 




