From patchwork Tue Sep 24 19:08:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Lautrbach X-Patchwork-Id: 11159461 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7C11C13B1 for ; Tue, 24 Sep 2019 19:09:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6370A214DA for ; Tue, 24 Sep 2019 19:09:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2441863AbfIXTJE (ORCPT ); Tue, 24 Sep 2019 15:09:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36484 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2441862AbfIXTJE (ORCPT ); Tue, 24 Sep 2019 15:09:04 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 35DC718C891A for ; Tue, 24 Sep 2019 19:09:04 +0000 (UTC) Received: from workstation.redhat.com (ovpn-204-49.brq.redhat.com [10.40.204.49]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6E22D6012C; Tue, 24 Sep 2019 19:09:03 +0000 (UTC) From: Petr Lautrbach To: selinux@vger.kernel.org Cc: Petr Lautrbach Subject: [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot Date: Tue, 24 Sep 2019 21:08:53 +0200 Message-Id: <20190924190854.245105-1-plautrba@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.70]); Tue, 24 Sep 2019 19:09:04 +0000 (UTC) Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes `fixfiles -B onboot` to show usage instead of updating /.autorelabel The code is restructured to handle -B for different modes correctly. Fixes: # fixfiles -B onboot Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel ... Signed-off-by: Petr Lautrbach --- policycoreutils/scripts/fixfiles | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 5be9ba6e..678fca40 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -111,7 +111,7 @@ VERBOSE="-p" FORCEFLAG="" RPMFILES="" PREFC="" -RESTORE_MODE="DEFAULT" +RESTORE_MODE="" SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` @@ -213,16 +213,17 @@ restore () { OPTION=$1 shift -case "$RESTORE_MODE" in - PREFC) - diff_filecontext $* - return - ;; - BOOTTIME) +# [-B | -N time ] +if [ -n "$BOOTTIME" ]; then newer $BOOTTIME $* return - ;; -esac +fi + +# -C PREVIOUS_FILECONTEXT +if [ "$RESTORE_MODE" == PREFC ]; then + diff_filecontext $* + return +fi [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon @@ -238,7 +239,7 @@ case "$RESTORE_MODE" in FILEPATH) ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" ;; - DEFAULT) + *) if [ -n "${FILESYSTEMSRW}" ]; then LogReadOnly echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" @@ -271,7 +272,7 @@ fullrelabel() { relabel() { - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then usage exit 1 fi @@ -305,7 +306,7 @@ case "$1" in verify) restore Verify -n;; relabel) relabel;; onboot) - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then usage exit 1 fi @@ -343,7 +344,7 @@ if [ $# -eq 0 ]; then fi set_restore_mode() { - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" ]; then # can't specify two different modes usage exit 1 @@ -356,7 +357,7 @@ while getopts "N:BC:FfR:l:v" i; do case "$i" in B) BOOTTIME=`/bin/who -b | awk '{print $3}'` - set_restore_mode BOOTTIME + set_restore_mode DEFAULT ;; N) BOOTTIME=$OPTARG From patchwork Tue Sep 24 19:08:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Lautrbach X-Patchwork-Id: 11159463 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E8CC513B1 for ; Tue, 24 Sep 2019 19:09:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C6BD9214DA for ; Tue, 24 Sep 2019 19:09:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2441865AbfIXTJR (ORCPT ); Tue, 24 Sep 2019 15:09:17 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37898 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2441864AbfIXTJR (ORCPT ); Tue, 24 Sep 2019 15:09:17 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 14AF6C05168C for ; Tue, 24 Sep 2019 19:09:17 +0000 (UTC) Received: from workstation.redhat.com (ovpn-204-49.brq.redhat.com [10.40.204.49]) by smtp.corp.redhat.com (Postfix) with ESMTP id 468F7600C8; Tue, 24 Sep 2019 19:09:16 +0000 (UTC) From: Petr Lautrbach To: selinux@vger.kernel.org Cc: Petr Lautrbach Subject: [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Date: Tue, 24 Sep 2019 21:08:54 +0200 Message-Id: <20190924190854.245105-2-plautrba@redhat.com> In-Reply-To: <20190924190854.245105-1-plautrba@redhat.com> References: <20190924190854.245105-1-plautrba@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 24 Sep 2019 19:09:17 +0000 (UTC) Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The previous check used getfilecon to check whether / slash contains a label, but getfilecon fails only when SELinux is disabled. Therefore it's better to check this using selinuxenabled. Signed-off-by: Petr Lautrbach --- policycoreutils/scripts/fixfiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index 678fca40..ab0848ff 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -313,8 +313,8 @@ case "$1" in > /.autorelabel || exit $? [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel - # Force full relabel if / does not have a label on it - getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel + # Force full relabel if SELinux is not enabled + selinuxenabled || echo -F > /.autorelabel echo "System will relabel on next boot" ;; *)