2021-07-30 12:20:20 +00:00
|
|
|
From 26a4c19ecff545324aa21eb0afbc3d10d3356313 Mon Sep 17 00:00:00 2001
|
2021-05-13 09:21:26 +00:00
|
|
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
|
|
|
Date: Mon, 1 Mar 2021 18:19:22 +0100
|
|
|
|
|
Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode
|
|
|
|
|
|
|
|
|
|
I can't think of a good reason why they should be excluded. On the
|
|
|
|
|
contrary, excluding them can cause trouble very easily if some labeling
|
|
|
|
|
rules for these directories change. For example, we changed the label
|
|
|
|
|
for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
|
|
|
|
|
(updating the allow rules accordingly) and after policy update they
|
|
|
|
|
ended up with an invalid context, causing denials.
|
|
|
|
|
|
|
|
|
|
Thus, remove /dev and /run from the excludes. While there, also add
|
|
|
|
|
/root to the basic excludes to match the regex that excludes fc rules
|
|
|
|
|
(that should be effectively no functional change).
|
|
|
|
|
|
|
|
|
|
I did a sanity check on my system by running `restorecon -nv /dev /run`
|
|
|
|
|
and it didn't report any label differences.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
|
|
|
|
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
|
|
|
|
---
|
|
|
|
|
policycoreutils/scripts/fixfiles | 4 ++--
|
|
|
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
2021-07-30 12:20:20 +00:00
|
|
|
index 30dadb4f4cb6..6fb12e0451a9 100755
|
2021-05-13 09:21:26 +00:00
|
|
|
--- a/policycoreutils/scripts/fixfiles
|
|
|
|
|
+++ b/policycoreutils/scripts/fixfiles
|
2021-07-30 12:20:20 +00:00
|
|
|
@@ -162,7 +162,7 @@ newer() {
|
2021-05-13 09:21:26 +00:00
|
|
|
#
|
|
|
|
|
diff_filecontext() {
|
|
|
|
|
EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
|
|
|
|
|
-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
|
|
|
|
|
+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do
|
|
|
|
|
[ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
|
|
|
|
|
done
|
|
|
|
|
LogExcluded
|
2021-07-30 12:20:20 +00:00
|
|
|
@@ -175,7 +175,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
|
2021-05-13 09:21:26 +00:00
|
|
|
sed -r -e 's,:s0, ,g' $FC | sort -u | \
|
|
|
|
|
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
|
|
|
|
|
grep '^[<>]'|cut -c3-| grep ^/ | \
|
|
|
|
|
- egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
|
|
|
|
|
+ egrep -v '(^/home|^/root|^/tmp)' |\
|
|
|
|
|
sed -r -e 's,[[:blank:]].*,,g' \
|
|
|
|
|
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
|
|
|
|
|
-e 's|([/[:alnum:]])\?|{\1,}|g' \
|
|
|
|
|
--
|
2021-07-30 12:20:20 +00:00
|
|
|
2.32.0
|
2021-05-13 09:21:26 +00:00
|
|
|
|
