From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: bauen1 <j2468h@googlemail.com>
Cc: selinux <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH] fixfiles: correctly restore context of mountpoints
Date: Mon, 6 Jul 2020 14:25:51 -0400 [thread overview]
Message-ID: <CAEjxPJ67MVocx8MO51VcpHRmwZzxANa8Q+-iZFgxPrdwXk5i3g@mail.gmail.com> (raw)
In-Reply-To: <330f12f0-44d6-3659-0153-32b3cddf2db6@gmail.com>
On Tue, Jun 30, 2020 at 11:01 AM bauen1 <j2468h@googlemail.com> wrote:
>
> By bind mounting every filesystem we want to relabel we can access all
> files without anything hidden due to active mounts.
>
> This comes at the cost of user experience, because setfiles only
> displays the percentage if no path is given or the path is /
Perhaps this should be opt-in via a new command-line option rather
than the default, given the user-visible difference in behavior and
the potential for something to go wrong for existing users. We might
also want to look at improving setfiles / selinux_restorecon() to
support percentage progress without this limitation.
>
> Signed-off-by: bauen1 <j2468h@gmail.com>
Generally I think a real name is required for Signed-off-by lines in
the DCO since otherwise it isn't truly meaningful from a legal
perspective.
> ---
> policycoreutils/scripts/fixfiles | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index 5d777034..dc5be195 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -243,7 +243,19 @@ case "$RESTORE_MODE" in
> if [ -n "${FILESYSTEMSRW}" ]; then
> LogReadOnly
> echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
> - ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
> +
> + # we bind mount so we can fix the labels of files that have already been
> + # mounted over
> + for m in `echo $FILESYSTEMSRW`; do
> + TMP_MOUNT="$(mktemp -d)"
> + test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
> +
> + mkdir -p "${TMP_MOUNT}${m}" || exit 1
> + mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
> + ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
> + umount "${TMP_MOUNT}${m}" || exit 1
> + rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
> + done;
> else
> echo >&2 "fixfiles: No suitable file systems found"
> fi
> --
> 2.27.0
>
next prev parent reply other threads:[~2020-07-06 18:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 14:59 [RFC PATCH] fixfiles: correctly restore context of mountpoints bauen1
2020-07-06 18:25 ` Stephen Smalley [this message]
2020-07-06 19:16 ` bauen1
2020-07-06 19:48 ` Stephen Smalley
2020-08-06 14:48 ` [RFC PATCH v2] " bauen1
2020-08-07 15:05 ` Stephen Smalley
2020-08-17 15:57 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ67MVocx8MO51VcpHRmwZzxANa8Q+-iZFgxPrdwXk5i3g@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=j2468h@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).