fixfiles: Fix [-B] [-F] onboot and force full relabel when SELinux is disabled

2019-08-05 19:20:53 +02:00 · 2019-08-05 19:20:53 +02:00 · 21fff37ccc
commit 21fff37ccc
parent 61d9b74e3d
3 changed files with 143 additions and 0 deletions
--- a/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
+++ b/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
@ -0,0 +1,108 @@
+From d3f8b2c3cd9e044aba909f63a2ca78f53db11fe0 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 2 Jul 2019 17:11:32 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
+
+Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
+command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
+`fixfiles -B onboot` to show usage instead of updating /.autorelabel
+
+The code is restructured to handle -B for different modes correctly.
+
+Fixes:
+    # fixfiles -B onboot
+    Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
+    ...
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 53d28c7b..9dd44213 100755
+--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
+@@ -112,7 +112,7 @@ VERBOSE="-p"
+ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
+ SETFILES=/sbin/setfiles
+ RESTORECON=/sbin/restorecon
+ FILESYSTEMSRW=`get_rw_labeled_mounts`
+@@ -214,16 +214,17 @@ restore () {
+ OPTION=$1
+ shift
+ 
+-case "$RESTORE_MODE" in
+-    PREFC)
+-	diff_filecontext $*
+-	return
+-    ;;
+-    BOOTTIME)
+# [-B | -N time ]
+if [ -z "$BOOTTIME" ]; then
+ 	newer $BOOTTIME $*
+ 	return
+-    ;;
+-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+	diff_filecontext $*
+	return
+fi
+ 
+ [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
+ 
+@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
+     FILEPATH)
+ 	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
+     ;;
+-    DEFAULT)
+    *)
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+ 	    LogReadOnly
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+@@ -272,7 +273,7 @@ fullrelabel() {
+ 
+ 
+ relabel() {
+-    if [ "$RESTORE_MODE" != DEFAULT ]; then
+    if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
+ 	usage
+ 	exit 1
+     fi
+@@ -306,7 +307,7 @@ case "$1" in
+     verify) restore Verify -n;;
+     relabel) relabel;;
+     onboot)
+-	if [ "$RESTORE_MODE" != DEFAULT ]; then
+	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
+ 	    usage
+ 	    exit 1
+ 	fi
+@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
+ fi
+ 
+ set_restore_mode() {
+-	if [ "$RESTORE_MODE" != DEFAULT ]; then
+	if [ -n "$RESTORE_MODE" ]; then
+ 		# can't specify two different modes
+ 		usage
+ 		exit 1
+@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+-		set_restore_mode BOOTTIME
+		set_restore_mode DEFAULT
+ 		;;
+ 	N)
+ 		BOOTTIME=$OPTARG
+-- 
+2.22.0
+
--- a/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
+++ b/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
@ -0,0 +1,33 @@
+From 105eeda97b0f35773bc32222d0802de4d0b5a8e9 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 2 Jul 2019 17:12:07 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
+ disabled
+
+The previous check used getfilecon to check whether / slash contains a label,
+but getfilecon fails only when SELinux is disabled. Therefore it's better to
+check this using selinuxenabled.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 9dd44213..a9d27d13 100755
+--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
+@@ -314,8 +314,8 @@ case "$1" in
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+ 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+-	# Force full relabel if / does not have a label on it
+-	getfilecon / > /dev/null 2>&1  || echo -F >/.autorelabel
+	# Force full relabel if SELinux is not enabled
+	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+ 	;;
+     *)
+-- 
+2.22.0
+
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -59,6 +59,8 @@ Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
 Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
 Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
+Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
+Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch

 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138