varrun-convert.sh: Backport changes from Rawhide
- Update varrun-convert.sh script to check for existing duplicate entries - Remove incorrect "local" usage in varrun-convert.sh - Use /usr/bin/bash in scripts as shebang Related: RHEL-54303
This commit is contained in:
parent
278c1ad453
commit
bc2b5706de
@ -1,15 +1,16 @@
|
|||||||
#!/bin/bash
|
#!/usr/bin/bash
|
||||||
### varrun-convert.sh
|
### varrun-convert.sh
|
||||||
### convert legacy filecontext entries containing /var/run to /run
|
### convert legacy filecontext entries containing /var/run to /run
|
||||||
### and load an extra selinux module with the new content
|
### and load an extra selinux module with the new content
|
||||||
### the script takes a policy name as an argument
|
### the script takes a policy name as an argument
|
||||||
|
|
||||||
# Set DEBUG=yes before running the script to get more verbose output
|
# Set DEBUG=yes before running the script to get more verbose output
|
||||||
|
# on the terminal and to the $LOG file
|
||||||
if [ "${DEBUG}" = "yes" ]; then
|
if [ "${DEBUG}" = "yes" ]; then
|
||||||
set -x
|
set -x
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Look for working files and log in OUTPUTDIR
|
# Auxiliary and log files will be created in OUTPUTDIR
|
||||||
OUTPUTDIR="/run/selinux-policy"
|
OUTPUTDIR="/run/selinux-policy"
|
||||||
LOG="$OUTPUTDIR/log"
|
LOG="$OUTPUTDIR/log"
|
||||||
mkdir -p ${OUTPUTDIR}
|
mkdir -p ${OUTPUTDIR}
|
||||||
@ -19,28 +20,41 @@ if [ -z ${1} ]; then
|
|||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
SEMODULEOPT="-s ${1}"
|
||||||
|
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
||||||
|
|
||||||
|
# Take current file_contexts and unify whitespace separators
|
||||||
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
||||||
|
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
|
||||||
if [ ! -f ${FILE_CONTEXTS} ]; then
|
if [ ! -f ${FILE_CONTEXTS} ]; then
|
||||||
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SEMODULEOPT="-s ${1}"
|
|
||||||
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
|
||||||
|
|
||||||
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
||||||
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
|
||||||
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
||||||
EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"
|
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
|
||||||
|
|
||||||
# Print only /var/run entries
|
# Print only /var/run entries
|
||||||
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}
|
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||||
|
|
||||||
# Unify whitespace separators
|
# Unify whitespace separators
|
||||||
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}
|
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||||
|
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
|
||||||
|
|
||||||
|
# Deduplicate already existing /var/run=/run entries
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
subline="${line#/var}"
|
||||||
|
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
|
||||||
|
echo "$line"
|
||||||
|
fi
|
||||||
|
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
# Change /var/run to /run
|
# Change /var/run to /run
|
||||||
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
||||||
@ -76,5 +90,6 @@ do
|
|||||||
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
||||||
|
|
||||||
# Load module
|
# Load module
|
||||||
|
[ -s ${EXTRA_VARRUN_CIL} ] &&
|
||||||
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user