Re: [PATCH 032/155] policycoreutils: fixfiles use new kernel seclabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:

>> This patch looks good to me. acked.
>
> When similar logic was added to setfiles, we included a kernel version
> check (>= 2.6.30) to ensure that we didn't end up excluding all
> filesystems on older kernels that do not report seclabel.

Patch replaced with the attached.

-Eric
From 3d39e0e30ad34500917e695a3a3f3e4f3614dc8f Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Sun, 10 Jul 2011 16:09:11 +0200
Subject: [PATCH] policycoreutils: fixfiles: use new kernel seclabel option

The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling.  Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Dan Walsh <dwalsh@xxxxxxxxxx>
---
 policycoreutils/scripts/fixfiles |   39 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ba59d87..adc95fe 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -20,6 +20,41 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
+VER=`uname -r`
+MAJOR=`echo $VER | cut -d. -f1`
+MINOR=`echo $VER | cut -d. -f2`
+MICRO=`echo $VER | cut -d. -f3`
+#
+# Get all mount points that support labeling.  Use the 'seclabel' field if it
+# is available.  Else fall back to known fs types which likely support xattrs
+# and we know were not context mounted.
+#
+get_all_labeled_mounts() {
+FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
+for i in $FS; do
+	if [ $MAJOR -le 2 ] && [ $MINOR -le 6 ] && [ $MICRO -lt 30 ]
+	then
+		grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+	else
+		grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
+	fi
+done
+}
+
+get_rw_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i
+done
+}
+
+get_ro_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i
+done
+}
+
 exclude_dirs_from_relabelling() {
     exclude_from_relabelling=
     if [ -e /etc/selinux/fixfiles_exclude_dirs ]
@@ -64,8 +99,8 @@ SYSLOGFLAG="-l"
 LOGGER=/usr/sbin/logger
 SETFILES=/sbin/setfiles
 RESTORECON=/sbin/restorecon
-FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';`
-FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';`
+FILESYSTEMSRW=`get_rw_labeled_mounts`
+FILESYSTEMSRO=`get_ro_labeled_mounts`
 FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 SELINUXTYPE="targeted"
 if [ -e /etc/selinux/config ]; then
-- 
1.7.6


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux