-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5D560ACgkQrlYvE4MpobPUQgCgyubgnCejjW4mvIqV7JWR3uSA tWQAnjMCCmYpu6uir7b+xyX7yxMJJJZr =J6mR -----END PGP SIGNATURE-----
>From 86f78b3e23f4136a934d9a4c9a429c51fa59992e Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Sun, 10 Jul 2011 14:14:14 +0200
Subject: [PATCH 20/96] policycoreutils: fixfiles: introduce
/etc/selinux/fixfiles_exclude_dirs
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/scripts/fixfiles | 49 +++++++++++++++++++++++++++++++++++-
policycoreutils/scripts/fixfiles.8 | 2 +
2 files changed, 50 insertions(+), 1 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index fa285ea..205c51f 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -20,6 +20,35 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+exclude_dirs_from_relabelling() {
+ exclude_from_relabelling=
+ if [ -e /etc/selinux/fixfiles_exclude_dirs ]
+ then
+ while read i
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${i}" =~ ^/.* ]] && continue
+ [[ ! -d "${i}" ]] && continue
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ logit "skipping the directory $i from relabelling"
+ done < /etc/selinux/fixfiles_exclude_dirs
+ fi
+ echo "$exclude_from_relabelling"
+}
+
+exclude_dirs() {
+ exclude=
+ for i in /home /root /tmp /dev; do
+ [ -e $i ] && exclude="$exclude -e $i";
+ done
+ exclude="$exclude `exclude_dirs_from_relabelling`"
+ echo "$exclude"
+}
+
#
# Set global Variables
#
@@ -133,8 +162,26 @@ if [ ! -z "$FILEPATH" ]; then
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly
+#
+exclude_dirs="`exclude_dirs_from_relabelling`"
+if [ -n "${exclude_dirs}" ]
+then
+ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+ test -z "$TEMPFCFILE" && exit
+ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+ exclude_dirs=${exclude_dirs//-e/}
+ for p in ${exclude_dirs}
+ do
+ p="${p%/}"
+ p1="${p}(/.*)? -- <<none>>"
+ echo "${p1}" >> $TEMPFCFILE
+ logit "skipping the directory ${p} from relabelling"
+ done
+FC=$TEMPFCFILE
+fi
${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index dfe8aa9..0b4cbaa 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
+excluded from relabelling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
--
1.7.6
Attachment:
0020-policycoreutils-fixfiles-introduce-etc-selinux-fixfi.patch.sig
Description: PGP signature
