rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

fixfiles: Fix [-B] [-F] onboot and force full relabel when SELinux is disabled

Browse Source
This commit is contained in:
Petr Lautrbach 2019-08-05 19:20:53 +02:00
parent 61d9b74e3d
commit 21fff37ccc
3 changed files with 143 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch Normal file
View File

@ -0,0 +1,108 @@
From d3f8b2c3cd9e044aba909f63a2ca78f53db11fe0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:11:32 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel
The code is restructured to handle -B for different modes correctly.
Fixes:
# fixfiles -B onboot
Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 53d28c7b..9dd44213 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,7 +112,7 @@ VERBOSE="-p"
FORCEFLAG=""
RPMFILES=""
PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -214,16 +214,17 @@ restore () {
OPTION=$1
shift
-case "$RESTORE_MODE" in
- PREFC)
- diff_filecontext $*
- return
- ;;
- BOOTTIME)
+# [-B | -N time ]
+if [ -z "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
- ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+ diff_filecontext $*
+ return
+fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
FILEPATH)
${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
;;
- DEFAULT)
+ *)
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -272,7 +273,7 @@ fullrelabel() {
relabel() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -306,7 +307,7 @@ case "$1" in
verify) restore Verify -n;;
relabel) relabel;;
onboot)
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
fi
set_restore_mode() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" ]; then
# can't specify two different modes
usage
exit 1
@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
- set_restore_mode BOOTTIME
+ set_restore_mode DEFAULT
;;
N)
BOOTTIME=$OPTARG
--
2.22.0

33
0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch Normal file
View File

@ -0,0 +1,33 @@
From 105eeda97b0f35773bc32222d0802de4d0b5a8e9 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:12:07 +0200
Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
disabled
The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 9dd44213..a9d27d13 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -314,8 +314,8 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- # Force full relabel if / does not have a label on it
- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
+ # Force full relabel if SELinux is not enabled
+ selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
;;
*)
--
2.22.0

2
policycoreutils.spec
View File

@ -59,6 +59,8 @@ Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138