* [PATCH] Permit fixfiles to skip configurable directory from relabelling
@ 2011-04-07 15:47 Elia Pinto
2011-04-07 15:53 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Elia Pinto @ 2011-04-07 15:47 UTC (permalink / raw)
To: selinux; +Cc: Elia Pinto, pinto.elia
From: Elia Pinto <yersinia.spiros@gmail.com>
This patch permit fixfiles to check /.autorelabel_excluded
for a list of directories to exclude from relabelling.
Inspired by this blog http://danwalsh.livejournal.com/38157.html.
Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
---
policycoreutils/scripts/fixfiles | 44 ++++++++++++++++++++++++++++++++---
policycoreutils/scripts/fixfiles.8 | 2 +
2 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ae519fc..ba4d4b1 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -28,6 +28,7 @@ FORCEFLAG=""
DIRS=""
RPMILES=""
LOGFILE=`tty`
+FINDEXCLUDEDPATH=""
if [ $? != 0 ]; then
LOGFILE="/dev/null"
fi
@@ -46,6 +47,24 @@ else
FC=/etc/security/selinux/file_contexts
fi
+# Add an excluded path for the following
+# find in the function restore, relabel
+
+if [ -e /.autorelabel_excluded ]
+then
+ while read _p
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${_p}" ] && continue
+ [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${_p}" =~ "^/.*" ]] && continue
+ [[ ! -d "${_p}" ]] && continue
+ FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
+ done < /.autorelabel_excluded
+fi
+
#
# Log to either syslog or a LOGFILE
#
@@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
fi; \
done | \
while read pattern ; do sh -c "find $pattern \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
done 2> /dev/null | \
${RESTORECON} $* -0 -f -
@@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
fi
if [ ! -z "$FILEPATH" ]; then
if [ -x /usr/bin/find ]; then
+ loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from relabelling"
/usr/bin/find "$FILEPATH" \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
else
${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
@@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly
-${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+#
+#
+# "<<none>>" '/md/distro?(/.*)?'
+TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
+test -z "$TEMPFILE" && exit
+cp -p ${FC} ${TEMPFILE}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
+for _p in $FINDEXCLUDEDPATH
+do
+ _p="${_p%/}"
+ _p1="${_p}(/.*)? -- <<none>>"
+ echo "${_p1}" >> $TEMPFILE
+ logit "skipping the directory ${_p} from relabelling"
+done
+
+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index dfe8aa9..865aab4 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
+The file /.autorelabel_exclude can contain a list of directory path
+that fixfiles don't relabel.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
--
1.7.2.1.44.g721e7
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling
2011-04-07 15:47 [PATCH] Permit fixfiles to skip configurable directory from relabelling Elia Pinto
@ 2011-04-07 15:53 ` Daniel J Walsh
2011-04-07 16:28 ` Elia Pinto
2011-04-08 17:14 ` Elia Pinto
0 siblings, 2 replies; 7+ messages in thread
From: Daniel J Walsh @ 2011-04-07 15:53 UTC (permalink / raw)
To: Elia Pinto; +Cc: selinux, Elia Pinto, pinto.elia
[-- Attachment #1: Type: text/plain, Size: 5253 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/07/2011 11:47 AM, Elia Pinto wrote:
> From: Elia Pinto <yersinia.spiros@gmail.com>
>
> This patch permit fixfiles to check /.autorelabel_excluded
> for a list of directories to exclude from relabelling.
>
> Inspired by this blog http://danwalsh.livejournal.com/38157.html.
>
> Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
> ---
> policycoreutils/scripts/fixfiles | 44 ++++++++++++++++++++++++++++++++---
> policycoreutils/scripts/fixfiles.8 | 2 +
> 2 files changed, 42 insertions(+), 4 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index ae519fc..ba4d4b1 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -28,6 +28,7 @@ FORCEFLAG=""
> DIRS=""
> RPMILES=""
> LOGFILE=`tty`
> +FINDEXCLUDEDPATH=""
> if [ $? != 0 ]; then
> LOGFILE="/dev/null"
> fi
> @@ -46,6 +47,24 @@ else
> FC=/etc/security/selinux/file_contexts
> fi
>
> +# Add an excluded path for the following
> +# find in the function restore, relabel
> +
> +if [ -e /.autorelabel_excluded ]
> +then
> + while read _p
> + do
> + # skip blank line and comment
> + # skip not absolute path
> + # skip not directory
> + [ -z "${_p}" ] && continue
> + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
> + [[ ! "${_p}" =~ "^/.*" ]] && continue
> + [[ ! -d "${_p}" ]] && continue
> + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
> + done < /.autorelabel_excluded
> +fi
> +
> #
> # Log to either syslog or a LOGFILE
> #
> @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> fi; \
> done | \
> while read pattern ; do sh -c "find $pattern \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
> \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
> done 2> /dev/null | \
> ${RESTORECON} $* -0 -f -
> @@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
> fi
> if [ ! -z "$FILEPATH" ]; then
> if [ -x /usr/bin/find ]; then
> + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from relabelling"
> /usr/bin/find "$FILEPATH" \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
> ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
> else
> ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
> @@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
> fi
> [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
> LogReadOnly
> -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
> -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
> +#
> +#
> +# "<<none>>" '/md/distro?(/.*)?'
> +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
> +test -z "$TEMPFILE" && exit
> +cp -p ${FC} ${TEMPFILE}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
> +for _p in $FINDEXCLUDEDPATH
> +do
> + _p="${_p%/}"
> + _p1="${_p}(/.*)? -- <<none>>"
> + echo "${_p1}" >> $TEMPFILE
> + logit "skipping the directory ${_p} from relabelling"
> +done
> +
> +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
> +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
> find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
> exit $?
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index dfe8aa9..865aab4 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
> as you expect. By default it will relabel all mounted ext2, ext3, xfs and
> jfs file systems as long as they do not have a security context mount
> option. You can use the -R flag to use rpmpackages as an alternative.
> +The file /.autorelabel_exclude can contain a list of directory path
> +that fixfiles don't relabel.
> .P
> .B fixfiles onboot
> will setup the machine to relabel on the next reboot.
This file should not be in /, I think it would be better to put it in
/etc/selinux
I have attached the current Fedora fixfiles. Which has some similar fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2d3hQACgkQrlYvE4MpobNgYACg4hHDc5kgHLVPdfjb2KmytGNY
rggAn0INl+1Mf5odXoUq5rJQR6FT/RzD
=KAVX
-----END PGP SIGNATURE-----
[-- Attachment #2: fixfiles --]
[-- Type: text/plain, Size: 6203 bytes --]
#!/bin/bash
# fixfiles
#
# Script to restore labels on a SELinux box
#
# Copyright (C) 2004-2009 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Get all mounted rw file systems that support seclabel
#
get_labeled_mounts() {
# /dev is not listed in the mountab
FS="`mount | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/\(rw/{print $3}';` /dev"
for i in $FS; do
grep --silent "$i ".*seclabel /proc/self/mounts && echo $i
done
}
exclude_dirs() {
exclude=
for i in /var/lib/BackupPC /home /tmp /dev; do
[ -e $i ] && exclude="$exclude -e $i";
done
echo "$exclude"
}
#
# Set global Variables
#
fullFlag=0
FORCEFLAG=""
DIRS=""
RPMILES=""
LOGFILE=`tty`
if [ $? != 0 ]; then
LOGFILE="/dev/null"
fi
SYSLOGFLAG="-l"
LOGGER=/usr/sbin/logger
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMS=`get_labeled_mounts`
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
else
FC=/etc/security/selinux/file_contexts
fi
#
# Log to either syslog or a LOGFILE
#
logit () {
if [ -n $LOGFILE ]; then
echo $1 >> $LOGFILE
fi
}
#
# Compare PREVious File Context to currently installed File Context and
# run restorecon on all files affected by the differences.
#
diff_filecontext() {
if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFILE" && exit
PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE}
sed -r -e 's,:s0, ,g' $FC | sort -u | \
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
grep '^[<>]'|cut -c3-| grep ^/ | \
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
sed -r -e 's,[[:blank:]].*,,g' \
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \
-e 's|\?.*|*|g' \
-e 's|\(.*|*|g' \
-e 's|\[.*|*|g' \
-e 's|\.\*.*|*|g' \
-e 's|\.\+.*|*|g' | \
# These two sorts need to be separate commands \
sort -u | \
sort -d | \
while read pattern ; \
do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
echo "$pattern"; \
case "$pattern" in *"*") \
echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
esac; \
fi; \
done | \
${RESTORECON} -f - -R -p `exclude_dirs`; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi
}
rpmlist() {
rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
#
# restore
# if called with -n will only check file context
#
restore () {
if [ ! -z "$PREFC" ]; then
diff_filecontext $*
exit $?
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 | cat >> $LOGFILE
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
return
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
exit $?
}
fullrelabel() {
logit "Cleaning out /tmp"
find /tmp/ -mindepth 1 -delete
restore
}
relabel() {
if [ ! -z "$RPMFILES" ]; then
restore
fi
if [ $fullFlag == 1 ]; then
fullrelabel
fi
echo -n "
Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]? "
read answer
if [ "$answer" = y -o "$answer" = Y ]; then
fullrelabel
else
restore
fi
}
process() {
#
# Make sure they specified one of the three valid commands
#
case "$1" in
restore) restore -p ;;
check) restore -n -v;;
verify) restore -n -o -;;
relabel) relabel;;
onboot)
touch /.autorelabel
echo "System will relabel on next boot"
;;
*)
usage
exit 1
esac
}
usage() {
echo $"""
Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or
Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
or
Usage: $0 [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
Usage: $0 onboot
"""
}
if [ $# = 0 ]; then
usage
exit 1
fi
# See how we were called.
while getopts "C:FfR:l:" i; do
case "$i" in
f)
fullFlag=1
;;
R)
RPMFILES=$OPTARG
;;
l)
LOGFILE=$OPTARG
;;
C)
PREFC=$OPTARG
;;
F)
FORCEFLAG="-F"
;;
*)
usage
exit 1
esac
done
# Move out processed options from arguments
shift $(( OPTIND - 1 ))
# Check for the command
command=$1
if [ -z $command ]; then
usage
fi
# Move out command from arguments
shift
#
# check if they specified both DIRS and RPMFILES
#
if [ ! -z "$RPMFILES" ]; then
process $command
if [ $# -gt 0 ]; then
usage
fi
else
if [ -z "$1" ]; then
process $command
else
while [ -n "$1" ]; do
FILEPATH=$1
process $command
shift
done
fi
fi
exit $?
[-- Attachment #3: fixfiles.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling
2011-04-07 15:53 ` Daniel J Walsh
@ 2011-04-07 16:28 ` Elia Pinto
2011-04-08 17:14 ` Elia Pinto
1 sibling, 0 replies; 7+ messages in thread
From: Elia Pinto @ 2011-04-07 16:28 UTC (permalink / raw)
To: Daniel J Walsh, selinux, Elia Pinto, pinto.elia
I had the same dubt. I haven't noticed that fc15 had Similar fix. So,
The patch is useless. Thanks for the fast review. Regards
2011/4/7, Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/07/2011 11:47 AM, Elia Pinto wrote:
>> From: Elia Pinto <yersinia.spiros@gmail.com>
>>
>> This patch permit fixfiles to check /.autorelabel_excluded
>> for a list of directories to exclude from relabelling.
>>
>> Inspired by this blog http://danwalsh.livejournal.com/38157.html.
>>
>> Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
>> ---
>> policycoreutils/scripts/fixfiles | 44
>> ++++++++++++++++++++++++++++++++---
>> policycoreutils/scripts/fixfiles.8 | 2 +
>> 2 files changed, 42 insertions(+), 4 deletions(-)
>>
>> diff --git a/policycoreutils/scripts/fixfiles
>> b/policycoreutils/scripts/fixfiles
>> index ae519fc..ba4d4b1 100755
>> --- a/policycoreutils/scripts/fixfiles
>> +++ b/policycoreutils/scripts/fixfiles
>> @@ -28,6 +28,7 @@ FORCEFLAG=""
>> DIRS=""
>> RPMILES=""
>> LOGFILE=`tty`
>> +FINDEXCLUDEDPATH=""
>> if [ $? != 0 ]; then
>> LOGFILE="/dev/null"
>> fi
>> @@ -46,6 +47,24 @@ else
>> FC=/etc/security/selinux/file_contexts
>> fi
>>
>> +# Add an excluded path for the following
>> +# find in the function restore, relabel
>> +
>> +if [ -e /.autorelabel_excluded ]
>> +then
>> + while read _p
>> + do
>> + # skip blank line and comment
>> + # skip not absolute path
>> + # skip not directory
>> + [ -z "${_p}" ] && continue
>> + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
>> + [[ ! "${_p}" =~ "^/.*" ]] && continue
>> + [[ ! -d "${_p}" ]] && continue
>> + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
>> + done < /.autorelabel_excluded
>> +fi
>> +
>> #
>> # Log to either syslog or a LOGFILE
>> #
>> @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
>> fi; \
>> done | \
>> while read pattern ; do sh -c "find $pattern \
>> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
>> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \)
>> -prune -o \
>> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
>> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs
>> ${FINDEXCLUDEDPATH}\) -prune -o \
>> \( -wholename /home -o -wholename /root -o -wholename /tmp
>> -wholename /dev \) -prune -o -print0"; \
>> done 2> /dev/null | \
>> ${RESTORECON} $* -0 -f -
>> @@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
>> fi
>> if [ ! -z "$FILEPATH" ]; then
>> if [ -x /usr/bin/find ]; then
>> + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/}
>> from relabelling"
>> /usr/bin/find "$FILEPATH" \
>> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev
>> -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune
>> -o -print0 | \
>> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev
>> -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs
>> ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
>> ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
>> else
>> ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
>> @@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
>> fi
>> [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
>> LogReadOnly
>> -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1
>> >> $LOGFILE
>> -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
>> +#
>> +#
>> +# "<<none>>" '/md/distro?(/.*)?'
>> +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
>> +test -z "$TEMPFILE" && exit
>> +cp -p ${FC} ${TEMPFILE}
>> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
>> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
>> +for _p in $FINDEXCLUDEDPATH
>> +do
>> + _p="${_p%/}"
>> + _p1="${_p}(/.*)? -- <<none>>"
>> + echo "${_p1}" >> $TEMPFILE
>> + logit "skipping the directory ${_p} from relabelling"
>> +done
>> +
>> +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW}
>> 2>&1 >> $LOGFILE
>> +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
>> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec
>> chcon -t tmp_t {} \;
>> find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \)
>> -exec chcon -t tmp_t {} \;
>> exit $?
>> diff --git a/policycoreutils/scripts/fixfiles.8
>> b/policycoreutils/scripts/fixfiles.8
>> index dfe8aa9..865aab4 100644
>> --- a/policycoreutils/scripts/fixfiles.8
>> +++ b/policycoreutils/scripts/fixfiles.8
>> @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are
>> all
>> as you expect. By default it will relabel all mounted ext2, ext3, xfs
>> and
>> jfs file systems as long as they do not have a security context mount
>> option. You can use the -R flag to use rpmpackages as an alternative.
>> +The file /.autorelabel_exclude can contain a list of directory path
>> +that fixfiles don't relabel.
>> .P
>> .B fixfiles onboot
>> will setup the machine to relabel on the next reboot.
>
> This file should not be in /, I think it would be better to put it in
> /etc/selinux
>
> I have attached the current Fedora fixfiles. Which has some similar fixes.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2d3hQACgkQrlYvE4MpobNgYACg4hHDc5kgHLVPdfjb2KmytGNY
> rggAn0INl+1Mf5odXoUq5rJQR6FT/RzD
> =KAVX
> -----END PGP SIGNATURE-----
>
--
Inviato dal mio dispositivo mobile
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling
2011-04-07 15:53 ` Daniel J Walsh
2011-04-07 16:28 ` Elia Pinto
@ 2011-04-08 17:14 ` Elia Pinto
2011-04-11 18:35 ` Daniel J Walsh
1 sibling, 1 reply; 7+ messages in thread
From: Elia Pinto @ 2011-04-08 17:14 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: selinux
[-- Attachment #1.1: Type: text/plain, Size: 6001 bytes --]
On Thu, Apr 7, 2011 at 5:53 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/07/2011 11:47 AM, Elia Pinto wrote:
> > From: Elia Pinto <yersinia.spiros@gmail.com>
> >
> > This patch permit fixfiles to check /.autorelabel_excluded
> > for a list of directories to exclude from relabelling.
> >
> > Inspired by this blog http://danwalsh.livejournal.com/38157.html.
> >
> > Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
> > ---
> > policycoreutils/scripts/fixfiles | 44
> ++++++++++++++++++++++++++++++++---
> > policycoreutils/scripts/fixfiles.8 | 2 +
> > 2 files changed, 42 insertions(+), 4 deletions(-)
> >
> > diff --git a/policycoreutils/scripts/fixfiles
> b/policycoreutils/scripts/fixfiles
> > index ae519fc..ba4d4b1 100755
> > --- a/policycoreutils/scripts/fixfiles
> > +++ b/policycoreutils/scripts/fixfiles
> > @@ -28,6 +28,7 @@ FORCEFLAG=""
> > DIRS=""
> > RPMILES=""
> > LOGFILE=`tty`
> > +FINDEXCLUDEDPATH=""
> > if [ $? != 0 ]; then
> > LOGFILE="/dev/null"
> > fi
> > @@ -46,6 +47,24 @@ else
> > FC=/etc/security/selinux/file_contexts
> > fi
> >
> > +# Add an excluded path for the following
> > +# find in the function restore, relabel
> > +
> > +if [ -e /.autorelabel_excluded ]
> > +then
> > + while read _p
> > + do
> > + # skip blank line and comment
> > + # skip not absolute path
> > + # skip not directory
> > + [ -z "${_p}" ] && continue
> > + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
> > + [[ ! "${_p}" =~ "^/.*" ]] && continue
> > + [[ ! -d "${_p}" ]] && continue
> > + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
> > + done < /.autorelabel_excluded
> > +fi
> > +
> > #
> > # Log to either syslog or a LOGFILE
> > #
> > @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> > fi; \
> > done | \
> > while read pattern ; do sh -c "find $pattern \
> > - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype
> btrfs \) -prune -o \
> > + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype
> btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
> > \( -wholename /home -o -wholename /root -o -wholename
> /tmp -wholename /dev \) -prune -o -print0"; \
> > done 2> /dev/null | \
> > ${RESTORECON} $* -0 -f -
> > @@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
> > fi
> > if [ ! -z "$FILEPATH" ]; then
> > if [ -x /usr/bin/find ]; then
> > + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/}
> from relabelling"
> > /usr/bin/find "$FILEPATH" \
> > - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \)
> -prune -o -print0 | \
> > + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs
> ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
> > ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
> > else
> > ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
> > @@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
> > fi
> > [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
> > LogReadOnly
> > -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1
> >> $LOGFILE
> > -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
> > +#
> > +#
> > +# "<<none>>" '/md/distro?(/.*)?'
> > +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
> > +test -z "$TEMPFILE" && exit
> > +cp -p ${FC} ${TEMPFILE}
> > +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
> > +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
> > +for _p in $FINDEXCLUDEDPATH
> > +do
> > + _p="${_p%/}"
> > + _p1="${_p}(/.*)? -- <<none>>"
> > + echo "${_p1}" >> $TEMPFILE
> > + logit "skipping the directory ${_p} from relabelling"
> > +done
> > +
> > +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE}
> ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
> > +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
> > find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec
> chcon -t tmp_t {} \;
> > find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \)
> -exec chcon -t tmp_t {} \;
> > exit $?
> > diff --git a/policycoreutils/scripts/fixfiles.8
> b/policycoreutils/scripts/fixfiles.8
> > index dfe8aa9..865aab4 100644
> > --- a/policycoreutils/scripts/fixfiles.8
> > +++ b/policycoreutils/scripts/fixfiles.8
> > @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts
> are all
> > as you expect. By default it will relabel all mounted ext2, ext3, xfs
> and
> > jfs file systems as long as they do not have a security context mount
> > option. You can use the -R flag to use rpmpackages as an alternative.
> > +The file /.autorelabel_exclude can contain a list of directory path
> > +that fixfiles don't relabel.
> > .P
> > .B fixfiles onboot
> > will setup the machine to relabel on the next reboot.
>
> This file should not be in /, I think it would be better to put it in
> /etc/selinux
>
> I have attached the current Fedora fixfiles. Which has some similar fixes.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2d3hQACgkQrlYvE4MpobNgYACg4hHDc5kgHLVPdfjb2KmytGNY
> rggAn0INl+1Mf5odXoUq5rJQR6FT/RzD
> =KAVX
> -----END PGP SIGNATURE-----
>
I include two simple patch (-p1 were fixfiles and fixfiles.8 live) for
adding a conf file that contain the directory to skip for relabel. I have
followed your advice for the conf path.
Developed with the version contained in
policycoreutils-2.0.85-27.fc15.x86_64 (fc15 last update).
Best Regards
[-- Attachment #1.2: Type: text/html, Size: 7663 bytes --]
[-- Attachment #2: fixfiles.patch --]
[-- Type: application/octet-stream, Size: 2109 bytes --]
diff --git a/fixfiles b/fixfiles
index 0890811..7d21ea3 100755
--- a/fixfiles
+++ b/fixfiles
@@ -30,12 +30,31 @@ for i in $FS; do
grep --silent "$i ".*seclabel /proc/self/mounts && echo $i
done
}
-
+exclude_dirs_from_relabelling() {
+ exclude_from_relabelling=
+ if [ -e /etc/selinux/fixfiles_exclude_dirs ]
+ then
+ while read i
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${i}" =~ ^/.* ]] && continue
+ [[ ! -d "${i}" ]] && continue
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ logit "skipping the directory $i from relabelling"
+ done < /etc/selinux/fixfiles_exclude_dirs
+ fi
+ echo "$exclude_from_relabelling"
+}
exclude_dirs() {
exclude=
for i in /var/lib/BackupPC /home /tmp /dev; do
[ -e $i ] && exclude="$exclude -e $i";
done
+ exclude="$exclude `exclude_dirs_from_relabelling`"
echo "$exclude"
}
@@ -134,8 +153,25 @@ if [ ! -z "$FILEPATH" ]; then
return
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
+#
+exclude_dirs="`exclude_dirs_from_relabelling`"
+if [ -n "${exclude_dirs}" ]
+then
+ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+ test -z "$TEMPFCFILE" && exit
+ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+ exclude_dirs=${exclude_dirs//-e/}
+ for p in ${exclude_dirs}
+ do
+ p="${p%/}"
+ p1="${p}(/.*)? -- <<none>>"
+ echo "${p1}" >> $TEMPFCFILE
+ logit "skipping the directory ${p} from relabelling"
+ done
+FC=$TEMPFCFILE
+fi
${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
exit $?
[-- Attachment #3: fixfiles.8.patch --]
[-- Type: application/octet-stream, Size: 588 bytes --]
diff --git a/fixfiles.8 b/fixfiles.8
index dfe8aa9..0b4cbaa 100644
--- a/fixfiles.8
+++ b/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
+excluded from relabelling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling
2011-04-08 17:14 ` Elia Pinto
@ 2011-04-11 18:35 ` Daniel J Walsh
0 siblings, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2011-04-11 18:35 UTC (permalink / raw)
To: Elia Pinto; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/08/2011 01:14 PM, Elia Pinto wrote:
> On Thu, Apr 7, 2011 at 5:53 PM, Daniel J Walsh <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> On 04/07/2011 11:47 AM, Elia Pinto wrote:
>> From: Elia Pinto <yersinia.spiros@gmail.com
> <mailto:yersinia.spiros@gmail.com>>
>
>> This patch permit fixfiles to check /.autorelabel_excluded
>> for a list of directories to exclude from relabelling.
>
>> Inspired by this blog http://danwalsh.livejournal.com/38157.html.
>
>> Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com
> <mailto:yersinia.spiros@gmail.com>>
>> ---
>> policycoreutils/scripts/fixfiles | 44
> ++++++++++++++++++++++++++++++++---
>> policycoreutils/scripts/fixfiles.8 | 2 +
>> 2 files changed, 42 insertions(+), 4 deletions(-)
>
>> diff --git a/policycoreutils/scripts/fixfiles
> b/policycoreutils/scripts/fixfiles
>> index ae519fc..ba4d4b1 100755
>> --- a/policycoreutils/scripts/fixfiles
>> +++ b/policycoreutils/scripts/fixfiles
>> @@ -28,6 +28,7 @@ FORCEFLAG=""
>> DIRS=""
>> RPMILES=""
>> LOGFILE=`tty`
>> +FINDEXCLUDEDPATH=""
>> if [ $? != 0 ]; then
>> LOGFILE="/dev/null"
>> fi
>> @@ -46,6 +47,24 @@ else
>> FC=/etc/security/selinux/file_contexts
>> fi
>
>> +# Add an excluded path for the following
>> +# find in the function restore, relabel
>> +
>> +if [ -e /.autorelabel_excluded ]
>> +then
>> + while read _p
>> + do
>> + # skip blank line and comment
>> + # skip not absolute path
>> + # skip not directory
>> + [ -z "${_p}" ] && continue
>> + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
>> + [[ ! "${_p}" =~ "^/.*" ]] && continue
>> + [[ ! -d "${_p}" ]] && continue
>> + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
>> + done < /.autorelabel_excluded
>> +fi
>> +
>> #
>> # Log to either syslog or a LOGFILE
>> #
>> @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
>> fi; \
>> done | \
>> while read pattern ; do sh -c "find $pattern \
>> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype
> ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype
> xfs -o -fstype btrfs \) -prune -o \
>> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype
> ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype
> xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
>> \( -wholename /home -o -wholename /root -o
> -wholename /tmp -wholename /dev \) -prune -o -print0"; \
>> done 2> /dev/null | \
>> ${RESTORECON} $* -0 -f -
>> @@ -127,8 +146,9 @@ if [ ! -z "$RPMFILES" ]; then
>> fi
>> if [ ! -z "$FILEPATH" ]; then
>> if [ -x /usr/bin/find ]; then
>> + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o
> -path/} from relabelling"
>> /usr/bin/find "$FILEPATH" \
>> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o
> -fstype btrfs \) -prune -o -print0 | \
>> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o
> -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
>> ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
>> else
>> ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
>> @@ -137,8 +157,24 @@ if [ ! -z "$FILEPATH" ]; then
>> fi
>> [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
>> LogReadOnly
>> -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC}
> ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
>> -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
>> +#
>> +#
>> +# "<<none>>" '/md/distro?(/.*)?'
>> +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
>> +test -z "$TEMPFILE" && exit
>> +cp -p ${FC} ${TEMPFILE}
>> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
>> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
>> +for _p in $FINDEXCLUDEDPATH
>> +do
>> + _p="${_p%/}"
>> + _p1="${_p}(/.*)? -- <<none>>"
>> + echo "${_p1}" >> $TEMPFILE
>> + logit "skipping the directory ${_p} from relabelling"
>> +done
>> +
>> +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE}
> ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
>> +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
>> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \)
> -exec chcon -t tmp_t {} \;
>> find /var/tmp \( -context "*:file_t*" -o -context
> "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
>> exit $?
>> diff --git a/policycoreutils/scripts/fixfiles.8
> b/policycoreutils/scripts/fixfiles.8
>> index dfe8aa9..865aab4 100644
>> --- a/policycoreutils/scripts/fixfiles.8
>> +++ b/policycoreutils/scripts/fixfiles.8
>> @@ -29,6 +29,8 @@ new policy, or just check whether the file
> contexts are all
>> as you expect. By default it will relabel all mounted ext2,
> ext3, xfs and
>> jfs file systems as long as they do not have a security context mount
>> option. You can use the -R flag to use rpmpackages as an
> alternative.
>> +The file /.autorelabel_exclude can contain a list of directory path
>> +that fixfiles don't relabel.
>> .P
>> .B fixfiles onboot
>> will setup the machine to relabel on the next reboot.
>
> This file should not be in /, I think it would be better to put it in
> /etc/selinux
>
> I have attached the current Fedora fixfiles. Which has some similar
> fixes.
Your patch will be in policycoreutils-2.0.85-30.fc15
> I include two simple patch (-p1 were fixfiles and fixfiles.8 live) for
> adding a conf file that contain the directory to skip for relabel. I
> have followed your advice for the conf path.
> Developed with the version contained in
> policycoreutils-2.0.85-27.fc15.x86_64 (fc15 last update).
> Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2jSgoACgkQrlYvE4MpobPxgQCcCT4QLEBKxDEPSp2RBCMAZLa5
+lkAoKtkx0ZF4z6omr657KoTYqmFwCpF
=C7Ee
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] Permit fixfiles to skip configurable directory from relabelling
@ 2011-04-07 15:40 Elia Pinto
2011-04-07 15:46 ` Elia Pinto
0 siblings, 1 reply; 7+ messages in thread
From: Elia Pinto @ 2011-04-07 15:40 UTC (permalink / raw)
To: selinux; +Cc: Elia Pinto, pinto.elia
From: Elia Pinto <yersinia.spiros@gmail.com>
This patch permit fixfiles to check /.autorelabel_excluded
for a list of directories to exclude from relabelling.
Inspired by this blog http://danwalsh.livejournal.com/38157.html.
Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
---
policycoreutils/scripts/fixfiles | 45 ++++++++++++++++++++++++++++++++---
policycoreutils/scripts/fixfiles.8 | 2 +
2 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ae519fc..2a39d74 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -28,6 +28,7 @@ FORCEFLAG=""
DIRS=""
RPMILES=""
LOGFILE=`tty`
+FINDEXCLUDEDPATH=""
if [ $? != 0 ]; then
LOGFILE="/dev/null"
fi
@@ -46,6 +47,24 @@ else
FC=/etc/security/selinux/file_contexts
fi
+# Add an excluded path for the following
+# find in the function restore, relabel
+
+if [ -e /.autorelabel_excluded ]
+then
+ while read _p
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${_p}" ] && continue
+ [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${_p}" =~ "^/.*" ]] && continue
+ [[ ! -d "${_p}" ]] && continue
+ FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
+ done < /.autorelabel_excluded
+fi
+
#
# Log to either syslog or a LOGFILE
#
@@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
fi; \
done | \
while read pattern ; do sh -c "find $pattern \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
done 2> /dev/null | \
${RESTORECON} $* -0 -f -
@@ -115,6 +134,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
# if called with -n will only check file context
#
restore () {
+set -x
if [ ! -z "$PREFC" ]; then
diff_filecontext $*
exit $?
@@ -127,8 +147,9 @@ if [ ! -z "$RPMFILES" ]; then
fi
if [ ! -z "$FILEPATH" ]; then
if [ -x /usr/bin/find ]; then
+ loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from relabelling"
/usr/bin/find "$FILEPATH" \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
else
${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
@@ -137,8 +158,24 @@ if [ ! -z "$FILEPATH" ]; then
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
LogReadOnly
-${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+#
+#
+# "<<none>>" '/md/distro?(/.*)?'
+TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
+test -z "$TEMPFILE" && exit
+cp -p ${FC} ${TEMPFILE}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
+FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
+for _p in $FINDEXCLUDEDPATH
+do
+ _p="${_p%/}"
+ _p1="${_p}(/.*)? -- <<none>>"
+ echo "${_p1}" >> $TEMPFILE
+ logit "skipping the directory ${_p} from relabelling"
+done
+
+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index dfe8aa9..865aab4 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
+The file /.autorelabel_exclude can contain a list of directory path
+that fixfiles don't relabel.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
--
1.7.2.1.44.g721e7
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] Permit fixfiles to skip configurable directory from relabelling
2011-04-07 15:40 Elia Pinto
@ 2011-04-07 15:46 ` Elia Pinto
0 siblings, 0 replies; 7+ messages in thread
From: Elia Pinto @ 2011-04-07 15:46 UTC (permalink / raw)
To: selinux; +Cc: Elia Pinto, pinto.elia
[-- Attachment #1: Type: text/plain, Size: 5298 bytes --]
Sorry there was a typo, i will repost shortly. Please ignore this patch
2011/4/7 Elia Pinto <andronicus.spiros@gmail.com>
> From: Elia Pinto <yersinia.spiros@gmail.com>
>
> This patch permit fixfiles to check /.autorelabel_excluded
> for a list of directories to exclude from relabelling.
>
> Inspired by this blog http://danwalsh.livejournal.com/38157.html.
>
> Signed-off-by: Elia Pinto <yersinia.spiros@gmail.com>
> ---
> policycoreutils/scripts/fixfiles | 45
> ++++++++++++++++++++++++++++++++---
> policycoreutils/scripts/fixfiles.8 | 2 +
> 2 files changed, 43 insertions(+), 4 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles
> b/policycoreutils/scripts/fixfiles
> index ae519fc..2a39d74 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -28,6 +28,7 @@ FORCEFLAG=""
> DIRS=""
> RPMILES=""
> LOGFILE=`tty`
> +FINDEXCLUDEDPATH=""
> if [ $? != 0 ]; then
> LOGFILE="/dev/null"
> fi
> @@ -46,6 +47,24 @@ else
> FC=/etc/security/selinux/file_contexts
> fi
>
> +# Add an excluded path for the following
> +# find in the function restore, relabel
> +
> +if [ -e /.autorelabel_excluded ]
> +then
> + while read _p
> + do
> + # skip blank line and comment
> + # skip not absolute path
> + # skip not directory
> + [ -z "${_p}" ] && continue
> + [[ "${_p}" =~ "^[[:blank:]]*#" ]] && continue
> + [[ ! "${_p}" =~ "^/.*" ]] && continue
> + [[ ! -d "${_p}" ]] && continue
> + FINDEXCLUDEDPATH="${FINDEXCLUDEDPATH} -o -path \"${_p}\""
> + done < /.autorelabel_excluded
> +fi
> +
> #
> # Log to either syslog or a LOGFILE
> #
> @@ -88,7 +107,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
> fi; \
> done | \
> while read pattern ; do sh -c "find $pattern \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype
> btrfs \) -prune -o \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o
> -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype
> btrfs ${FINDEXCLUDEDPATH}\) -prune -o \
> \( -wholename /home -o -wholename /root -o -wholename
> /tmp -wholename /dev \) -prune -o -print0"; \
> done 2> /dev/null | \
> ${RESTORECON} $* -0 -f -
> @@ -115,6 +134,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" |
> grep '^0 ' | cut -f2- -d ' '
> # if called with -n will only check file context
> #
> restore () {
> +set -x
> if [ ! -z "$PREFC" ]; then
> diff_filecontext $*
> exit $?
> @@ -127,8 +147,9 @@ if [ ! -z "$RPMFILES" ]; then
> fi
> if [ ! -z "$FILEPATH" ]; then
> if [ -x /usr/bin/find ]; then
> + loggit "skipping the directory ${FINDEXCLUDEDPATH//-o -path/} from
> relabelling"
> /usr/bin/find "$FILEPATH" \
> - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \)
> -prune -o -print0 | \
> + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype
> ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs
> ${FINDEXCLUDEDPATH}\) -prune -o -print0 | \
> ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
> else
> ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
> @@ -137,8 +158,24 @@ if [ ! -z "$FILEPATH" ]; then
> fi
> [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
> LogReadOnly
> -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1
> >> $LOGFILE
> -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
> +#
> +#
> +# "<<none>>" '/md/distro?(/.*)?'
> +TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
> +test -z "$TEMPFILE" && exit
> +cp -p ${FC} ${TEMPFILE}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//-o -path/}
> +FINDEXCLUDEDPATH=${FINDEXCLUDEDPATH//\"/}
> +for _p in $FINDEXCLUDEDPATH
> +do
> + _p="${_p%/}"
> + _p1="${_p}(/.*)? -- <<none>>"
> + echo "${_p1}" >> $TEMPFILE
> + logit "skipping the directory ${_p} from relabelling"
> +done
> +
> +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${TEMPFILE} ${FILESYSTEMSRW}
> 2>&1 >> $LOGFILE
> +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFILE
> find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec
> chcon -t tmp_t {} \;
> find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \)
> -exec chcon -t tmp_t {} \;
> exit $?
> diff --git a/policycoreutils/scripts/fixfiles.8
> b/policycoreutils/scripts/fixfiles.8
> index dfe8aa9..865aab4 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are
> all
> as you expect. By default it will relabel all mounted ext2, ext3, xfs and
> jfs file systems as long as they do not have a security context mount
> option. You can use the -R flag to use rpmpackages as an alternative.
> +The file /.autorelabel_exclude can contain a list of directory path
> +that fixfiles don't relabel.
> .P
> .B fixfiles onboot
> will setup the machine to relabel on the next reboot.
> --
> 1.7.2.1.44.g721e7
>
>
[-- Attachment #2: Type: text/html, Size: 6606 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-04-11 18:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-07 15:47 [PATCH] Permit fixfiles to skip configurable directory from relabelling Elia Pinto
2011-04-07 15:53 ` Daniel J Walsh
2011-04-07 16:28 ` Elia Pinto
2011-04-08 17:14 ` Elia Pinto
2011-04-11 18:35 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2011-04-07 15:40 Elia Pinto
2011-04-07 15:46 ` Elia Pinto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.