On Mon, 19 Sept 2022 at 13:29, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> Always run find with -xdev to avoid unintended deleting/relabeling.
> While this may sometimes skip subdirectories that should be relabeled,
> the danger of crossing into random mounts is greater than leaving behind
> some unlabeled files. The find commands are just best-effort attempts to
> fix the labels anyway.
The xdev option does not work for bind mounts (they are still followed).
>
> In case of /run (renamed from the deprecated /var/run), traverse
> /run/user/* directories separately, as there is commonly an additional
> layer of tmpfs mounted on them.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> policycoreutils/scripts/fixfiles | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index c72ca0eb..c9ab2a93 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -153,7 +153,7 @@ newer() {
> shift
> LogReadOnly
> for m in `echo $FILESYSTEMSRW`; do
> - find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
> + find $m -xdev -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
> done;
> }
>
> @@ -273,18 +273,22 @@ case "$RESTORE_MODE" in
>
> UNDEFINED=`get_undefined_type` || exit $?
> UNLABELED=`get_unlabeled_type` || exit $?
> - find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
> - find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /tmp {} \;
> - find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \;
> - find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/run {} \;
> - [ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib {} \;
> + find -xdev /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
> + find -xdev /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /tmp {} \;
> + find -xdev /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \;
> + find -xdev /run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /run {} \;
> + # /run/user/<pid> may have an additional tmpfs mounted on it
> + for userdir in /run/user/*; do
> + find -xdev "$userdir" \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference "$userdir" {} \;
> + done
> + [ ! -e /var/lib/debug ] || find -xdev /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib {} \;
> ;;
> esac
> }
>
> fullrelabel() {
> echo "Cleaning out /tmp"
> - find /tmp/ -mindepth 1 -delete
> + find -xdev /tmp/ -mindepth 1 -delete
> restore Relabel
> }
>
> --
> 2.37.3
>
