From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, SELinux <SELinux@tycho.nsa.gov>
Subject: Patch to policycoreutils
Date: Fri, 28 Jan 2005 11:29:21 -0500 [thread overview]
Message-ID: <41FA6861.6080505@redhat.com> (raw)
In-Reply-To: <1106927779.32737.59.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 649 bytes --]
Added new fixfiles -C PREVIOUS_FILECONTEXT (RESTORE | CHECK)
Which will take an old version of the file_context file and the
currently installed one and do a
diff. Then it will run a recursive restorecon on all files covered by
the difference. The idea here
is to potentially call this function from within policy spec files on
updates. So the if the file_context
file changes on update, the file context on disk will be updated.
Also changed restorecon to not error out if one of the files handed to
it does not exist.
restorecon /etc/BOGUS_FILE /etc/passwd /etc/shadow
Will restore password and shadow and warn about BOGUS_FILE.
Dan
[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 3289 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.5/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2005-01-25 10:32:01.000000000 -0500
+++ policycoreutils-1.21.5/restorecon/restorecon.c 2005-01-28 10:40:23.000000000 -0500
@@ -188,7 +188,7 @@
fprintf(stderr,
"%s: error while labeling files under %s\n",
progname, buf);
- exit(1);
+ errors++;
}
}
else
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.5/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500
+++ policycoreutils-1.21.5/scripts/fixfiles 2005-01-28 11:16:21.000000000 -0500
@@ -37,10 +37,12 @@
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
+ FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
- cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
+ cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
else
- FC=/etc/security/selinux/file_contexts
+ FILE_CONTEXT=/etc/security/selinux/file_contexts
+ FC=${FILE_CONTEXT}
fi
cleanup() {
@@ -60,7 +62,24 @@
echo $1 >> $LOGFILE
fi
}
-
+#
+# Compare PREVious File Context to currently installed File Context and
+# run restorecon on all files affected by the differences.
+#
+diff_filecontext() {
+if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ TEMPFILE=`mktemp /var/tmp/${SELINUXTYPE}.XXXXXXXXXX`
+ test -z "$TEMPFILE" && exit
+ /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
+ sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
+ -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
+ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \
+ while read pattern ; do find $pattern -print; done 2> /dev/null | \
+ ${RESTORECON} $2 -v -f -
+ rm -f ${TEMPFILE}
+fi
+}
#
# Log all Read Only file systems
#
@@ -80,6 +99,10 @@
# if called with -n will only check file context
#
restore () {
+if [ ! -z "$PREFC" ]; then
+ diff_filecontext $1
+ exit $?
+fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo $RPMFILES | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE
@@ -128,7 +151,7 @@
usage() {
echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
echo or
- echo $"Usage: $0 -R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] { check | restore }"
+ echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
}
if [ $# = 0 ]; then
@@ -137,7 +160,7 @@
fi
# See how we were called.
-while getopts "Fo:R:l:" i; do
+while getopts "C:Fo:R:l:" i; do
case "$i" in
F)
fullFlag=1
@@ -151,6 +174,9 @@
l)
LOGFILE=$OPTARG
;;
+ C)
+ PREFC=$OPTARG
+ ;;
*)
usage
exit 1
next parent reply other threads:[~2005-01-28 16:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1106927779.32737.59.camel@moss-spartans.epoch.ncsc.mil>
2005-01-28 16:29 ` Daniel J Walsh [this message]
2005-01-28 19:51 ` Patch to policycoreutils Stephen Smalley
2005-01-28 20:25 ` Daniel J Walsh
2005-01-28 20:30 ` Stephen Smalley
2005-01-31 14:14 ` Stephen Smalley
2005-01-31 15:13 ` Daniel J Walsh
2005-01-31 15:27 ` Stephen Smalley
2005-01-31 18:49 ` Daniel J Walsh
2005-02-01 14:22 ` Stephen Smalley
2009-04-01 14:10 patch " Daniel J Walsh
2009-04-22 22:03 ` Chad Sellers
2009-04-23 1:50 ` Daniel J Walsh
2009-04-23 20:01 ` Chad Sellers
2009-05-18 15:29 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41FA6861.6080505@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.