SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot
@ 2019-09-24 19:08 Petr Lautrbach
  2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2019-09-24 19:08 UTC (permalink / raw)
  To: selinux; +Cc: Petr Lautrbach

Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel

The code is restructured to handle -B for different modes correctly.

Fixes:
    # fixfiles -B onboot
    Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
    ...

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5be9ba6e..678fca40 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -111,7 +111,7 @@ VERBOSE="-p"
 FORCEFLAG=""
 RPMFILES=""
 PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
 SETFILES=/sbin/setfiles
 RESTORECON=/sbin/restorecon
 FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -213,16 +213,17 @@ restore () {
 OPTION=$1
 shift
 
-case "$RESTORE_MODE" in
-    PREFC)
-	diff_filecontext $*
-	return
-    ;;
-    BOOTTIME)
+# [-B | -N time ]
+if [ -n "$BOOTTIME" ]; then
 	newer $BOOTTIME $*
 	return
-    ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+	diff_filecontext $*
+	return
+fi
 
 [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
 
@@ -238,7 +239,7 @@ case "$RESTORE_MODE" in
     FILEPATH)
 	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
     ;;
-    DEFAULT)
+    *)
 	if [ -n "${FILESYSTEMSRW}" ]; then
 	    LogReadOnly
 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -271,7 +272,7 @@ fullrelabel() {
 
 
 relabel() {
-    if [ "$RESTORE_MODE" != DEFAULT ]; then
+    if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
 	usage
 	exit 1
     fi
@@ -305,7 +306,7 @@ case "$1" in
     verify) restore Verify -n;;
     relabel) relabel;;
     onboot)
-	if [ "$RESTORE_MODE" != DEFAULT ]; then
+	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
 	    usage
 	    exit 1
 	fi
@@ -343,7 +344,7 @@ if [ $# -eq 0 ]; then
 fi
 
 set_restore_mode() {
-	if [ "$RESTORE_MODE" != DEFAULT ]; then
+	if [ -n "$RESTORE_MODE" ]; then
 		# can't specify two different modes
 		usage
 		exit 1
@@ -356,7 +357,7 @@ while getopts "N:BC:FfR:l:v" i; do
     case "$i" in
 	B)
 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
-		set_restore_mode BOOTTIME
+		set_restore_mode DEFAULT
 		;;
 	N)
 		BOOTTIME=$OPTARG
-- 
2.23.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled
  2019-09-24 19:08 [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot Petr Lautrbach
@ 2019-09-24 19:08 ` Petr Lautrbach
  2019-09-26 12:54   ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2019-09-24 19:08 UTC (permalink / raw)
  To: selinux; +Cc: Petr Lautrbach

The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/scripts/fixfiles | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 678fca40..ab0848ff 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -313,8 +313,8 @@ case "$1" in
 	> /.autorelabel || exit $?
 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
-	# Force full relabel if / does not have a label on it
-	getfilecon / > /dev/null 2>&1  || echo -F >/.autorelabel
+	# Force full relabel if SELinux is not enabled
+	selinuxenabled || echo -F > /.autorelabel
 	echo "System will relabel on next boot"
 	;;
     *)
-- 
2.23.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled
  2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
@ 2019-09-26 12:54   ` Stephen Smalley
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2019-09-26 12:54 UTC (permalink / raw)
  To: Petr Lautrbach, selinux

On 9/24/19 3:08 PM, Petr Lautrbach wrote:
> The previous check used getfilecon to check whether / slash contains a label,
> but getfilecon fails only when SELinux is disabled. Therefore it's better to
> check this using selinuxenabled.

Thanks, applied both patches.

> 
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>   policycoreutils/scripts/fixfiles | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index 678fca40..ab0848ff 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -313,8 +313,8 @@ case "$1" in
>   	> /.autorelabel || exit $?
>   	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
>   	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
> -	# Force full relabel if / does not have a label on it
> -	getfilecon / > /dev/null 2>&1  || echo -F >/.autorelabel
> +	# Force full relabel if SELinux is not enabled
> +	selinuxenabled || echo -F > /.autorelabel
>   	echo "System will relabel on next boot"
>   	;;
>       *)
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-24 19:08 [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot Petr Lautrbach
2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
2019-09-26 12:54   ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git