--- policycoreutils-1.14.1/setfiles/setfiles.c.rhat 2004-06-30 12:03:27.000000000 -0400 +++ policycoreutils-1.14.1/setfiles/setfiles.c 2004-07-06 16:44:21.464473808 -0400 @@ -654,7 +654,8 @@ freecon(context); - if (outfile) + if (outfile && + !only_changed_user(context, spec_arr[i].context)) fprintf(outfile, "%s\n", my_file); /* --- policycoreutils-1.14.1/scripts/Makefile.rhat 2004-06-30 12:03:27.000000000 -0400 +++ policycoreutils-1.14.1/scripts/Makefile 2004-06-30 13:14:42.000000000 -0400 @@ -12,6 +12,7 @@ -mkdir -p $(BINDIR) install -m 755 $(TARGETS) $(BINDIR) install -m 755 fixfiles $(DESTDIR)/sbin + install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8.gz $(MANDIR)/man8/ --- policycoreutils-1.14.1/scripts/fixfiles.cron.rhat 2004-06-30 13:12:42.000000000 -0400 +++ policycoreutils-1.14.1/scripts/fixfiles.cron 2004-07-06 16:12:48.000000000 -0400 @@ -0,0 +1,22 @@ +#!/bin/sh + +CRONTYPE="check" +INVALIDFILE=/var/tmp/badcontext +CRONMAILTO="root" + +if [ ! -e /etc/selinux/config ]; then + exit 1 +fi + +. /etc/selinux/config + +/usr/bin/selinuxenabled +if [ $? -eq 0 ]; then + renice +19 -p $$ >/dev/null 2>&1 + OUTFILE=`mktemp ${INVALIDFILE}.XXXXXXXXXX` || exit 1 + /sbin/fixfiles -l /dev/null -o $OUTFILE $CRONTYPE + mv -f $OUTFILE $INVALIDFILE + if [ -s $INVALIDFILE ]; then + mail ${MAILTO} -s "Invalid File Contexts" < $INVALIDFILE + fi +fi --- policycoreutils-1.14.1/scripts/fixfiles.rhat 2004-06-30 13:10:21.000000000 -0400 +++ policycoreutils-1.14.1/scripts/fixfiles 2004-07-06 16:29:00.000000000 -0400 @@ -19,25 +19,37 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Set global Variables +# +checkFlag=0 +restoreFlag=0 +relabelFlag=0 +fullFlag=0 +rpmFlag=0 +rpmFiles="" +outfileFlag=0 +OUTFILES="" +logfileFlag=0 +SETFILES=/usr/sbin/setfiles +FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';` SELINUXTYPE="targeted" + if [ -e /etc/selinux/config ]; then . /etc/selinux/config FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts else FC=/etc/security/selinux/file_contexts fi -LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX` || exit 1 -SETFILES=/usr/sbin/setfiles -FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';` checkLabels () { echo "logging to $LOGFILE" if [ ! -z "$1" ]; then for i in `echo $1 | sed 's/,/ /g'`; do - rpm -q -l $i | restorecon -n -v -f - 2>&1 | tee $LOGFILE + rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 | tee $LOGFILE done else - ${SETFILES} -v -n ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE + ${SETFILES} ${OUTFILES} -v -n ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE fi } @@ -45,10 +57,10 @@ echo "logging to $LOGFILE" if [ ! -z "$1" ]; then for i in `echo $1 | sed 's/,/ /g'`; do - rpm -q -l $i | restorecon -v -f - 2>&1 | tee $LOGFILE + rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE done else - ${SETFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE + ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE fi } @@ -58,10 +70,10 @@ rm -rf /tmp/.??* /tmp/* if [ ! -z "$1" ]; then for i in `echo $1 | sed 's/,/ /g'`; do - rpm -q -l $i | restorecon -v -f - 2>&1 | tee $LOGFILE + rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE done else - ${SETFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE + ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE fi } relabelCheck() { @@ -81,16 +93,9 @@ } usage() { - echo $"Usage: $0 {-R rpmpackage[,rpmpackage...] |check|restore|[-F] relabel}" + echo $"Usage: $0 {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] |check|restore|[-F] relabel}" } -checkFlag=0 -restoreFlag=0 -relabelFlag=0 -fullFlag=0 -rpmFlag=0 -rpmFiles="" - # See how we were called. for i in $@; do if [ $rpmFlag = 2 ]; then @@ -98,6 +103,16 @@ rpmFlag=1 continue fi +if [ $outfileFlag = 2 ]; then + OUTFILES="-o $i" + outfileFlag=1 + continue +fi +if [ $logfileFlag = 2 ]; then + LOGFILE="$i" + logfileFlag=1 + continue +fi case "$i" in check) checkFlag=1 @@ -114,6 +129,12 @@ -R) rpmFlag=2 ;; + -o) + outfileFlag=2 + ;; + -l) + logfileFlag=2 + ;; *) usage exit 1 @@ -129,6 +150,9 @@ if [ $restoreFlag = 1 ]; then restoreLabels $rpmFiles fi +if [ $logfileFlag = 0 ]; then + LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX` || exit 1 +fi if [ $relabelFlag = 1 ]; then if [ $fullFlag = 1 ]; then relabelLabels $rpmFiles