From: bauen1 <j2468h@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v2] fixfiles: correctly restore context of mountpoints
Date: Thu, 6 Aug 2020 16:48:36 +0200 [thread overview]
Message-ID: <85917790-f0a6-0d57-face-58a6536b1793@gmail.com> (raw)
In-Reply-To: <CAEjxPJ67MVocx8MO51VcpHRmwZzxANa8Q+-iZFgxPrdwXk5i3g@mail.gmail.com>
By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.
This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
2 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5d777034..30dadb4f 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,6 +112,7 @@ FORCEFLAG=""
RPMFILES=""
PREFC=""
RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+ else
+ # we bind mount so we can fix the labels of files that have already been
+ # mounted over
+ for m in `echo $FILESYSTEMSRW`; do
+ TMP_MOUNT="$(mktemp -d)"
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ umount "${TMP_MOUNT}${m}" || exit 1
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+ done;
+ fi
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -313,6 +330,7 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
# Force full relabel if SELinux is not enabled
selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
@@ -324,7 +342,7 @@ esac
}
usage() {
echo $"""
-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
or
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
or
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
or
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
"""
}
@@ -353,7 +371,7 @@ set_restore_mode() {
}
# See how we were called.
-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
echo "Redirecting output to $OPTARG"
exec >>"$OPTARG" 2>&1
;;
+ M)
+ BIND_MOUNT_FILESYSTEMS="-M"
+ ;;
F)
FORCEFLAG="-F"
;;
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9f447f03..12342530 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
.na
.B fixfiles
-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
.B fixfiles
.I [\-v] [\-F] { check | restore | verify } dir/file ...
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
.B fixfiles
-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
.ad
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
Only act on files created after the specified date. Date must be specified in
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
+.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
+
.TP
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--
2.28.0
next prev parent reply other threads:[~2020-08-06 16:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 14:59 [RFC PATCH] fixfiles: correctly restore context of mountpoints bauen1
2020-07-06 18:25 ` Stephen Smalley
2020-07-06 19:16 ` bauen1
2020-07-06 19:48 ` Stephen Smalley
2020-08-06 14:48 ` bauen1 [this message]
2020-08-07 15:05 ` [RFC PATCH v2] " Stephen Smalley
2020-08-17 15:57 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85917790-f0a6-0d57-face-58a6536b1793@gmail.com \
--to=j2468h@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).