-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5D6FwACgkQrlYvE4MpobOgnQCgndQFsiOKHwNcSunmHKOSO69P hMoAn2/a1IzABdzZNmwV9/YE5I3lsxrt =0kYc -----END PGP SIGNATURE-----
>From ff6fb5fb3f8be648f3481446c6ca8ac38a78e146 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 10 Aug 2011 14:32:47 -0400
Subject: [PATCH 25/96] policycoreutils: fixfiles: do not hard code types
We had a number of places where fixfiles would search for or set hard
coded types. If policy used something other than tmp_t var_t file_t or
unlabeled_t we would go wrong. This patch does 2 things. It uses the
kernel provided selinuxfs interfaces to determine the label on unlabeled
and unknown files and it uses the --reference option with chcon to set
new labels.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/scripts/fixfiles | 31 +++++++++++++++++++++++++------
1 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6de710a..696c2f5 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -3,7 +3,7 @@
#
# Script to restore labels on a SELinux box
#
-# Copyright (C) 2004-2009 Red Hat, Inc.
+# Copyright (C) 2004-2011 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@xxxxxxxxxx>
#
# This program is free software; you can redistribute it and/or modify
@@ -44,6 +44,23 @@ for i in $FS; do
done
}
+#
+# Get the default label returned from the kernel for a file with a lable the
+# kernel does not understand
+#
+get_undefined_type() {
+ SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+ cat ${SELINUXMNT}/initial_contexts/unlabeled | secon -t
+}
+
+#
+# Get the default label for a file without a label
+#
+get_unlabeled_type() {
+ SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
+ cat $SELINUXMNT/initial_contexts/file | secon -t
+}
+
exclude_dirs_from_relabelling() {
exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ]
@@ -200,11 +217,13 @@ fi
${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
+UNDEFINED=`get_undefined_type` || exit $?
+UNLABELED=`get_unlabeled_type` || exit $?
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
+find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
+find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
exit $?
}
--
1.7.6
Attachment:
0025-policycoreutils-fixfiles-do-not-hard-code-types.patch.sig
Description: PGP signature
