Re: [PATCH 029/155] policycoreutils: fixfiles clean up /var/run and

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 04 Aug 2011 17:50:14 -0400

On 08/04/2011 05:10 PM, Eric Paris wrote:
> On 08/04/2011 05:06 PM, Daniel J Walsh wrote:
>> On 08/04/2011 05:00 PM, Eric Paris wrote:
> 
>>> I also question the use of /sys/fs/selinux/ but I'm not sure we
>>> have a good way to find that in a script.....  Do we have one?
>>> 
>> 
>> grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }'
> 
> $ grep selinuxfs /proc/self/mountinfo | awk '{ print $5 }' /selinux 
> /chroot/selinux
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without
> quotes as the message.
> 
> 

Second attempt.

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6de710a..899dce2 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -21,6 +21,23 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 #
+# Get the default label returned from the kernel for a file with a lable the 
+# kernel does not understand
+#
+get_undefined_type() {
+    SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+    cat ${SELINUXMNT}/initial_contexts/unlabeled | secon -t
+}
+
+#
+# Get the default label for a file without a label
+#
+get_unlabeled_type() {
+    SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+    cat $SELINUXMNT/initial_contexts/file | secon -t 
+}
+
+#
 # Get all mount points that support seclabel
 #
 get_all_labeled_mounts() {
@@ -200,11 +217,13 @@ fi
 ${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
 
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
+UNDEFINED=`get_undefined_type` || exit $?
+UNLABELED=`get_unlabeled_type` || exit $?
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
+find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
+find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
 exit $?
 }
 




