c65daa990e
- Build with libsepol.so.1 and libsemanage.so.2 - Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file - fixfiles: correctly restore context of mountpoints - sepolgen: print extended permissions in hexadecimal
137 lines
4.6 KiB
Diff
137 lines
4.6 KiB
Diff
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
|
|
From: bauen1 <j2468h@googlemail.com>
|
|
Date: Thu, 6 Aug 2020 16:48:36 +0200
|
|
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
|
|
|
|
By bind mounting every filesystem we want to relabel we can access all
|
|
files without anything hidden due to active mounts.
|
|
|
|
This comes at the cost of user experience, because setfiles only
|
|
displays the percentage if no path is given or the path is /
|
|
|
|
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
|
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
---
|
|
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
|
|
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
|
|
2 files changed, 31 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
|
index 5d7770348349..30dadb4f4cb6 100755
|
|
--- a/policycoreutils/scripts/fixfiles
|
|
+++ b/policycoreutils/scripts/fixfiles
|
|
@@ -112,6 +112,7 @@ FORCEFLAG=""
|
|
RPMFILES=""
|
|
PREFC=""
|
|
RESTORE_MODE=""
|
|
+BIND_MOUNT_FILESYSTEMS=""
|
|
SETFILES=/sbin/setfiles
|
|
RESTORECON=/sbin/restorecon
|
|
FILESYSTEMSRW=`get_rw_labeled_mounts`
|
|
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
|
|
if [ -n "${FILESYSTEMSRW}" ]; then
|
|
LogReadOnly
|
|
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
|
|
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
|
+
|
|
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
|
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
|
+ else
|
|
+ # we bind mount so we can fix the labels of files that have already been
|
|
+ # mounted over
|
|
+ for m in `echo $FILESYSTEMSRW`; do
|
|
+ TMP_MOUNT="$(mktemp -d)"
|
|
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
|
|
+
|
|
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
|
|
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
|
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
|
+ umount "${TMP_MOUNT}${m}" || exit 1
|
|
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
|
|
+ done;
|
|
+ fi
|
|
else
|
|
echo >&2 "fixfiles: No suitable file systems found"
|
|
fi
|
|
@@ -313,6 +330,7 @@ case "$1" in
|
|
> /.autorelabel || exit $?
|
|
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
|
|
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
|
|
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
|
|
# Force full relabel if SELinux is not enabled
|
|
selinuxenabled || echo -F > /.autorelabel
|
|
echo "System will relabel on next boot"
|
|
@@ -324,7 +342,7 @@ esac
|
|
}
|
|
usage() {
|
|
echo $"""
|
|
-Usage: $0 [-v] [-F] [-f] relabel
|
|
+Usage: $0 [-v] [-F] [-M] [-f] relabel
|
|
or
|
|
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
|
|
or
|
|
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
|
or
|
|
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
|
or
|
|
-Usage: $0 [-F] [-B] onboot
|
|
+Usage: $0 [-F] [-M] [-B] onboot
|
|
"""
|
|
}
|
|
|
|
@@ -353,7 +371,7 @@ set_restore_mode() {
|
|
}
|
|
|
|
# See how we were called.
|
|
-while getopts "N:BC:FfR:l:v" i; do
|
|
+while getopts "N:BC:FfR:l:vM" i; do
|
|
case "$i" in
|
|
B)
|
|
BOOTTIME=`/bin/who -b | awk '{print $3}'`
|
|
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
|
|
echo "Redirecting output to $OPTARG"
|
|
exec >>"$OPTARG" 2>&1
|
|
;;
|
|
+ M)
|
|
+ BIND_MOUNT_FILESYSTEMS="-M"
|
|
+ ;;
|
|
F)
|
|
FORCEFLAG="-F"
|
|
;;
|
|
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
|
|
index 9f447f03d444..123425308416 100644
|
|
--- a/policycoreutils/scripts/fixfiles.8
|
|
+++ b/policycoreutils/scripts/fixfiles.8
|
|
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
|
|
.na
|
|
|
|
.B fixfiles
|
|
-.I [\-v] [\-F] [\-f] relabel
|
|
+.I [\-v] [\-F] [-M] [\-f] relabel
|
|
|
|
.B fixfiles
|
|
.I [\-v] [\-F] { check | restore | verify } dir/file ...
|
|
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
|
|
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
|
|
|
.B fixfiles
|
|
-.I [-F] [-B] onboot
|
|
+.I [-F] [-M] [-B] onboot
|
|
|
|
.ad
|
|
|
|
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
|
|
Only act on files created after the specified date. Date must be specified in
|
|
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
|
|
|
|
+.TP
|
|
+.B \-M
|
|
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
|
|
+
|
|
.TP
|
|
.B -v
|
|
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
|
|
--
|
|
2.29.0
|
|
|