On Tue, Jun 30, 2020 at 11:01 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote:
>
> By bind mounting every filesystem we want to relabel we can access all
> files without anything hidden due to active mounts.
>
> This comes at the cost of user experience, because setfiles only
> displays the percentage if no path is given or the path is /
Perhaps this should be opt-in via a new command-line option rather
than the default, given the user-visible difference in behavior and
the potential for something to go wrong for existing users. We might
also want to look at improving setfiles / selinux_restorecon() to
support percentage progress without this limitation.
>
> Signed-off-by: bauen1 <j2468h@xxxxxxxxx>
Generally I think a real name is required for Signed-off-by lines in
the DCO since otherwise it isn't truly meaningful from a legal
perspective.
> ---
> policycoreutils/scripts/fixfiles | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index 5d777034..dc5be195 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -243,7 +243,19 @@ case "$RESTORE_MODE" in
> if [ -n "${FILESYSTEMSRW}" ]; then
> LogReadOnly
> echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
> - ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
> +
> + # we bind mount so we can fix the labels of files that have already been
> + # mounted over
> + for m in `echo $FILESYSTEMSRW`; do
> + TMP_MOUNT="$(mktemp -d)"
> + test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
> +
> + mkdir -p "${TMP_MOUNT}${m}" || exit 1
> + mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
> + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
> + umount "${TMP_MOUNT}${m}" || exit 1
> + rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
> + done;
> else
> echo >&2 "fixfiles: No suitable file systems found"
> fi
> --
> 2.27.0
>
