From bc2b5706de73e1eaf6e1029b06bec0988c2aaadb Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 20 Sep 2024 12:11:03 +0200 Subject: [PATCH] varrun-convert.sh: Backport changes from Rawhide - Update varrun-convert.sh script to check for existing duplicate entries - Remove incorrect "local" usage in varrun-convert.sh - Use /usr/bin/bash in scripts as shebang Related: RHEL-54303 --- varrun-convert.sh | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/varrun-convert.sh b/varrun-convert.sh index 5dbd0d60..bdf6f997 100755 --- a/varrun-convert.sh +++ b/varrun-convert.sh @@ -1,15 +1,16 @@ -#!/bin/bash +#!/usr/bin/bash ### varrun-convert.sh ### convert legacy filecontext entries containing /var/run to /run ### and load an extra selinux module with the new content ### the script takes a policy name as an argument # Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file if [ "${DEBUG}" = "yes" ]; then set -x fi -# Look for working files and log in OUTPUTDIR +# Auxiliary and log files will be created in OUTPUTDIR OUTPUTDIR="/run/selinux-policy" LOG="$OUTPUTDIR/log" mkdir -p ${OUTPUTDIR} @@ -19,28 +20,41 @@ if [ -z ${1} ]; then exit fi +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" if [ ! -f ${FILE_CONTEXTS} ]; then [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG exit fi -SEMODULEOPT="-s ${1}" -[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" - if ! grep -q ^/var/run ${FILE_CONTEXTS}; then [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG exit fi +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" -EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" # Print only /var/run entries -grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES} +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} # Unify whitespace separators -sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + echo "$line" + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} # Change /var/run to /run sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} @@ -76,5 +90,6 @@ do done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} # Load module +[ -s ${EXTRA_VARRUN_CIL} ] && /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}