SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: bauen1 <j2468h@googlemail.com>
To: selinux <selinux@vger.kernel.org>
Subject: [RFC PATCH] fixfiles: correctly restore context of mountpoints
Date: Tue, 30 Jun 2020 16:59:35 +0200
Message-ID: <330f12f0-44d6-3659-0153-32b3cddf2db6@gmail.com> (raw)

By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.

This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policycoreutils/scripts/fixfiles | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5d777034..dc5be195 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -243,7 +243,19 @@ case "$RESTORE_MODE" in
 	if [ -n "${FILESYSTEMSRW}" ]; then
 	    LogReadOnly
 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
-	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+	    # we bind mount so we can fix the labels of files that have already been
+	    # mounted over
+	    for m in `echo $FILESYSTEMSRW`; do
+	        TMP_MOUNT="$(mktemp -d)"
+	        test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+	        mkdir -p "${TMP_MOUNT}${m}" || exit 1
+	        mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+	        umount "${TMP_MOUNT}${m}" || exit 1
+	        rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+	    done;
 	else
 	    echo >&2 "fixfiles: No suitable file systems found"
 	fi
-- 
2.27.0


             reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-30 14:59 bauen1 [this message]
2020-07-06 18:25 ` Stephen Smalley
2020-07-06 19:16   ` bauen1
2020-07-06 19:48     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=330f12f0-44d6-3659-0153-32b3cddf2db6@gmail.com \
    --to=j2468h@googlemail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git