kdumpctl: add selinux relabel when service startup
Dracut root fs is always mounted, but it's not guaranteed to success because we are in crash/kdump context. So selinux policy can not only depends on chroot load_policy. Per discussion with Vivek and Selinux people, relabel kdump files when the service restart. Currently only below cases are considerd: 1. target mounted in 1st kernel 2. target mounted as rw, if user mount it as 'ro' they will have to relabel the files by themselves. 3. save path is not masked, this means if /var/crash is mount to another disk which is different from dump target it will not visible to user so user need manually relabel them. 4. only local filesystem based targets. Tested on F19 machine. Tested local fs dump and network dump along with different save path to address above mentioned cases. Vivek: use function name is_dump_target_configured use getfattr -m "security.selinux" instead of ".*" Daniel: use restorecon instead of chcon. dyoung: keep minix in local fs list since it has not been deperacated yet. Vivek: wrap is_dump_target_configured checking in function path_to_be_relabeled dyoung: use awk instead of cut to print config value for different space delimeters dyoung: mute df error message: `df $_mnt/$_path 2>/dev/null` For nfs restorecon, since it will be in 3.11 kernel, we can add it when it's ok in Fedora. Signed-off-by: Dave Young <dyoung@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
parent
b156ef0d68
commit
aa15e6b6dc
70
kdumpctl
70
kdumpctl
@ -378,6 +378,73 @@ function save_raw()
|
||||
return 0
|
||||
}
|
||||
|
||||
get_save_path() {
|
||||
local _save_path=$(grep "^path" /etc/kdump.conf|awk '{print $2}')
|
||||
if [ -z "$_save_path" ]; then
|
||||
_save_path="/var/crash"
|
||||
fi
|
||||
|
||||
echo $_save_path
|
||||
}
|
||||
|
||||
is_dump_target_configured() {
|
||||
local _target
|
||||
|
||||
_target=$(egrep "^ext[234]|^xfs|^btrfs|^minix|^raw|^ssh|^nfs" /etc/kdump.conf)
|
||||
|
||||
[ -n "$_target" ]
|
||||
}
|
||||
|
||||
local_fs_dump_target()
|
||||
{
|
||||
local _target
|
||||
|
||||
_target=$(egrep "^ext[234]|^xfs|^btrfs|^minix" /etc/kdump.conf)
|
||||
if [ $? -eq 0 ]; then
|
||||
echo $_target|awk '{print $2}'
|
||||
fi
|
||||
}
|
||||
|
||||
path_to_be_relabeled() {
|
||||
local _path _target _mnt="/" _rmnt
|
||||
|
||||
if is_dump_target_configured; then
|
||||
_target=$(local_fs_dump_target)
|
||||
if [[ -n "$_target" ]]; then
|
||||
_mnt=$(findmnt -k -f -n -r -o TARGET $_target)
|
||||
if [ -z "$_mnt" ]; then
|
||||
return
|
||||
fi
|
||||
else
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
_path=$(get_save_path)
|
||||
# if $_path is masked by other mount, we will not relabel it.
|
||||
_rmnt=$(df $_mnt/$_path 2>/dev/null | tail -1 | awk '{ print $NF }')
|
||||
if [ "$_rmnt" == "$_mnt" ]; then
|
||||
echo $_mnt/$_path
|
||||
fi
|
||||
}
|
||||
|
||||
selinux_relabel()
|
||||
{
|
||||
local _path _i _attr
|
||||
|
||||
_path=$(path_to_be_relabeled)
|
||||
if [ -z "$_path" ] || ! [ -d "$_path" ] ; then
|
||||
return
|
||||
fi
|
||||
|
||||
for _i in $(find $_path); do
|
||||
_attr=$(getfattr -m "security.selinux" $_i 2>/dev/null)
|
||||
if [ -z "$_attr" ]; then
|
||||
restorecon $_i;
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function start()
|
||||
{
|
||||
check_config
|
||||
@ -386,6 +453,9 @@ function start()
|
||||
return 1
|
||||
fi
|
||||
|
||||
if sestatus 2>/dev/null | grep -q "SELinux status.*enabled"; then
|
||||
selinux_relabel
|
||||
fi
|
||||
save_raw
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Starting kdump: [FAILED]"
|
||||
|
Loading…
Reference in New Issue
Block a user