varrun-convert.sh: Backport changes from Rawhide

- Update varrun-convert.sh script to check for existing duplicate
  entries
- Remove incorrect "local" usage in varrun-convert.sh
- Use /usr/bin/bash in scripts as shebang

Related: RHEL-54303
This commit is contained in:
Petr Lautrbach 2024-09-20 12:11:03 +02:00
parent 278c1ad453
commit bc2b5706de

View File

@ -1,15 +1,16 @@
#!/bin/bash #!/usr/bin/bash
### varrun-convert.sh ### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run ### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content ### and load an extra selinux module with the new content
### the script takes a policy name as an argument ### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output # Set DEBUG=yes before running the script to get more verbose output
# on the terminal and to the $LOG file
if [ "${DEBUG}" = "yes" ]; then if [ "${DEBUG}" = "yes" ]; then
set -x set -x
fi fi
# Look for working files and log in OUTPUTDIR # Auxiliary and log files will be created in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy" OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log" LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR} mkdir -p ${OUTPUTDIR}
@ -19,28 +20,41 @@ if [ -z ${1} ]; then
exit exit
fi fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
# Take current file_contexts and unify whitespace separators
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
if [ ! -f ${FILE_CONTEXTS} ]; then if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
exit exit
fi fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit exit
fi fi
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil" EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries # Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES} grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
# Unify whitespace separators # Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES} sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
# Deduplicate already existing /var/run=/run entries
while read line
do
subline="${line#/var}"
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
echo "$line"
fi
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run # Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
@ -76,5 +90,6 @@ do
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module # Load module
[ -s ${EXTRA_VARRUN_CIL} ] &&
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}