kdumpctl: add selinux relabel when service startup
Dracut root fs is always mounted, but it's not guaranteed to success
because we are in crash/kdump context. So selinux policy can not only
depends on chroot load_policy.
Per discussion with Vivek and Selinux people, relabel kdump files
when the service restart.
Currently only below cases are considerd:
1. target mounted in 1st kernel
2. target mounted as rw, if user mount it as 'ro' they will have to
relabel the files by themselves.
3. save path is not masked, this means if /var/crash is mount to another
disk which is different from dump target it will not visible to user
so user need manually relabel them.
4. only local filesystem based targets.
Tested on F19 machine.
Tested local fs dump and network dump along with different save path
to address above mentioned cases.
Vivek: use function name is_dump_target_configured
use getfattr -m "security.selinux" instead of ".*"
Daniel: use restorecon instead of chcon.
dyoung: keep minix in local fs list since it has not been deperacated yet.
Vivek: wrap is_dump_target_configured checking in function path_to_be_relabeled
dyoung: use awk instead of cut to print config value for different
space delimeters
dyoung: mute df error message: `df $_mnt/$_path 2>/dev/null`
For nfs restorecon, since it will be in 3.11 kernel, we can add it when it's
ok in Fedora.
Signed-off-by: Dave Young <dyoung@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
dyoung@redhat.com
Baoquan He
parent
b156ef0d68
commit
aa15e6b6dc
70
kdumpctl
70
kdumpctl
|
|
@ -378,6 +378,73 @@ function save_raw()
|
|||
return 0
|
||||
}
|
||||
|
||||
get_save_path() {
|
||||
local _save_path=$(grep "^path" /etc/kdump.conf|awk '{print $2}')
|
||||
if [ -z "$_save_path" ]; then
|
||||
_save_path="/var/crash"
|
||||
fi
|
||||
|
||||
echo $_save_path
|
||||
}
|
||||
|
||||
is_dump_target_configured() {
|
||||
local _target
|
||||
|
||||
_target=$(egrep "^ext[234]|^xfs|^btrfs|^minix|^raw|^ssh|^nfs" /etc/kdump.conf)
|
||||
|
||||
[ -n "$_target" ]
|
||||
}
|
||||
|
||||
local_fs_dump_target()
|
||||
{
|
||||
local _target
|
||||
|
||||
_target=$(egrep "^ext[234]|^xfs|^btrfs|^minix" /etc/kdump.conf)
|
||||
if [ $? -eq 0 ]; then
|
||||
echo $_target|awk '{print $2}'
|
||||
fi
|
||||
}
|
||||
|
||||
path_to_be_relabeled() {
|
||||
local _path _target _mnt="/" _rmnt
|
||||
|
||||
if is_dump_target_configured; then
|
||||
_target=$(local_fs_dump_target)
|
||||
if [[ -n "$_target" ]]; then
|
||||
_mnt=$(findmnt -k -f -n -r -o TARGET $_target)
|
||||
if [ -z "$_mnt" ]; then
|
||||
return
|
||||
fi
|
||||
else
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
_path=$(get_save_path)
|
||||
# if $_path is masked by other mount, we will not relabel it.
|
||||
_rmnt=$(df $_mnt/$_path 2>/dev/null | tail -1 | awk '{ print $NF }')
|
||||
if [ "$_rmnt" == "$_mnt" ]; then
|
||||
echo $_mnt/$_path
|
||||
fi
|
||||
}
|
||||
|
||||
selinux_relabel()
|
||||
{
|
||||
local _path _i _attr
|
||||
|
||||
_path=$(path_to_be_relabeled)
|
||||
if [ -z "$_path" ] || ! [ -d "$_path" ] ; then
|
||||
return
|
||||
fi
|
||||
|
||||
for _i in $(find $_path); do
|
||||
_attr=$(getfattr -m "security.selinux" $_i 2>/dev/null)
|
||||
if [ -z "$_attr" ]; then
|
||||
restorecon $_i;
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function start()
|
||||
{
|
||||
check_config
|
||||
|
|
@ -386,6 +453,9 @@ function start()
|
|||
return 1
|
||||
fi
|
||||
|
||||
if sestatus 2>/dev/null | grep -q "SELinux status.*enabled"; then
|
||||
selinux_relabel
|
||||
fi
|
||||
save_raw
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Starting kdump: [FAILED]"
|
||||
|
|
|
|||
Loading…
Reference in New Issue