policycoreutils/0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch

From 38d88fc70844b6f5b02883172af6df7bbd05de24 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 1 Mar 2021 18:19:22 +0100
Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode

I can't think of a good reason why they should be excluded. On the
contrary, excluding them can cause trouble very easily if some labeling
rules for these directories change. For example, we changed the label
for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
(updating the allow rules accordingly) and after policy update they
ended up with an invalid context, causing denials.

Thus, remove /dev and /run from the excludes. While there, also add
/root to the basic excludes to match the regex that excludes fc rules
(that should be effectively no functional change).

I did a sanity check on my system by running `restorecon -nv /dev /run`
and it didn't report any label differences.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/scripts/fixfiles | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index e73bb81c3336..cb20002ab613 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -163,7 +163,7 @@ newer() {
 #
 diff_filecontext() {
 EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do
     [ -e $i ]  && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
 done
 LogExcluded
@@ -176,7 +176,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
 	sed -r -e 's,:s0, ,g' $FC | sort -u | \
 	/usr/bin/diff -b ${PREFCTEMPFILE} - | \
 	    grep '^[<>]'|cut -c3-| grep ^/ | \
-	    egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
+	    egrep -v '(^/home|^/root|^/tmp)' |\
 	sed -r -e 's,[[:blank:]].*,,g' \
 	       -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
-- 
2.31.1
policycoreutils-3.2-4 - policycoreutils-dbus requires polkit - fixfiles: do not exclude /dev and /run in -C mode - dbus: use GLib.MainLoop Resolves: rhbz#1949841 Modified-by: Petr Lautrbach <plautrba@redhat.com> Modified-by: Petr Lautrbach <plautrba@redhat.com> Modified-by: Petr Lautrbach <plautrba@redhat.com> 2021-05-13 09:21:26 +00:00			`From 38d88fc70844b6f5b02883172af6df7bbd05de24 Mon Sep 17 00:00:00 2001`
			`From: Ondrej Mosnacek <omosnace@redhat.com>`
			`Date: Mon, 1 Mar 2021 18:19:22 +0100`
			`Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode`

			`I can't think of a good reason why they should be excluded. On the`
			`contrary, excluding them can cause trouble very easily if some labeling`
			`rules for these directories change. For example, we changed the label`
			`for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora`
			`(updating the allow rules accordingly) and after policy update they`
			`ended up with an invalid context, causing denials.`

			`Thus, remove /dev and /run from the excludes. While there, also add`
			`/root to the basic excludes to match the regex that excludes fc rules`
			`(that should be effectively no functional change).`

			I did a sanity check on my system by running `restorecon -nv /dev /run`
			`and it didn't report any label differences.`

			`Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>`
			`Acked-by: Petr Lautrbach <plautrba@redhat.com>`
			`---`
			`policycoreutils/scripts/fixfiles \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles`
			`index e73bb81c3336..cb20002ab613 100755`
			`--- a/policycoreutils/scripts/fixfiles`
			`+++ b/policycoreutils/scripts/fixfiles`
			`@@ -163,7 +163,7 @@ newer() {`
			`#`
			`diff_filecontext() {`
			EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
			`-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do`
			`+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do`
			`[ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";`
			`done`
			`LogExcluded`
			`@@ -176,7 +176,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then`
			`sed -r -e 's,:s0, ,g' $FC \| sort -u \| \`
			`/usr/bin/diff -b ${PREFCTEMPFILE} - \| \`
			`grep '^[<>]'\|cut -c3-\| grep ^/ \| \`
			`- egrep -v '(^/home\|^/root\|^/tmp\|^/dev)' \|\`
			`+ egrep -v '(^/home\|^/root\|^/tmp)' \|\`
			`sed -r -e 's,[[:blank:]].*,,g' \`
			`-e 's\|\(([/[:alnum:]]+)\)\?\|{\1,}\|g' \`
			`-e 's\|([/[:alnum:]])\?\|{\1,}\|g' \`
			`--`
			`2.31.1`