On 08/12/2011 02:44 PM, Stephen Smalley wrote:
> On Fri, 2011-08-12 at 14:22 -0400, Eric Paris wrote:
>> On Thu, Aug 4, 2011 at 10:58 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>>> On Wed, 2011-08-03 at 16:58 -0400, Daniel J Walsh wrote:
>>
>>>> This patch looks good to me. acked.
>>>
>>> When similar logic was added to setfiles, we included a kernel version
>>> check (>= 2.6.30) to ensure that we didn't end up excluding all
>>> filesystems on older kernels that do not report seclabel.
>>
>> Patch replaced with the attached.
>
> Your version comparison isn't quite right, e.g. consider 2.2.30.
> If you want a reliable version compare, you probably want to do
> something similar to KERNEL_VERSION() from include/linux/version.h and
> convert both versions to simple integers that can be compared. Or you
> could do something based on this gem:
> http://rubinium.org/blog/archives/2010/04/05/shell-script-version-compare-vercmp/
>
> Or just rewrite fixfiles in a reasonable language ;)
Decided to go with the gem.
From 1da72eea266fdee3603204423ab1d9e68ff05f79 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Sun, 10 Jul 2011 16:09:11 +0200
Subject: [PATCH] policycoreutils: fixfiles: use new kernel seclabel option
The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling. Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Dan Walsh <dwalsh@xxxxxxxxxx>
---
policycoreutils/scripts/fixfiles | 48 ++++++++++++++++++++++++++++++++++++-
1 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ba59d87..54226eb 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -20,6 +20,50 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# seclabel support was added in 2.6.30. This function will return a positive
+# number if the current kernel version is greater than 2.6.30, a negative
+# number if the current is less than 2.6.30 and 0 if they are the same.
+#
+function useseclabel {
+ VER=`uname -r`
+ SUP=2.6.30
+ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+ '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
+ '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
+}
+
+#
+# Get all mount points that support labeling. Use the 'seclabel' field if it
+# is available. Else fall back to known fs types which likely support xattrs
+# and we know were not context mounted.
+#
+get_all_labeled_mounts() {
+FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
+for i in $FS; do
+ if [ `useseclabel` -ge 0 ]
+ then
+ grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
+ else
+ grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+ fi
+done
+}
+
+get_rw_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+ grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i
+done
+}
+
+get_ro_labeled_mounts() {
+FS=`get_all_labeled_mounts | sort | uniq`
+for i in $FS; do
+ grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i
+done
+}
+
exclude_dirs_from_relabelling() {
exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ]
@@ -64,8 +108,8 @@ SYSLOGFLAG="-l"
LOGGER=/usr/sbin/logger
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
-FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';`
-FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';`
+FILESYSTEMSRW=`get_rw_labeled_mounts`
+FILESYSTEMSRO=`get_ro_labeled_mounts`
FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
--
1.7.6
