* [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot
@ 2019-09-24 19:08 Petr Lautrbach
2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2019-09-24 19:08 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel
The code is restructured to handle -B for different modes correctly.
Fixes:
# fixfiles -B onboot
Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5be9ba6e..678fca40 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -111,7 +111,7 @@ VERBOSE="-p"
FORCEFLAG=""
RPMFILES=""
PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -213,16 +213,17 @@ restore () {
OPTION=$1
shift
-case "$RESTORE_MODE" in
- PREFC)
- diff_filecontext $*
- return
- ;;
- BOOTTIME)
+# [-B | -N time ]
+if [ -n "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
- ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+ diff_filecontext $*
+ return
+fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -238,7 +239,7 @@ case "$RESTORE_MODE" in
FILEPATH)
${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
;;
- DEFAULT)
+ *)
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -271,7 +272,7 @@ fullrelabel() {
relabel() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -305,7 +306,7 @@ case "$1" in
verify) restore Verify -n;;
relabel) relabel;;
onboot)
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -343,7 +344,7 @@ if [ $# -eq 0 ]; then
fi
set_restore_mode() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" ]; then
# can't specify two different modes
usage
exit 1
@@ -356,7 +357,7 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
- set_restore_mode BOOTTIME
+ set_restore_mode DEFAULT
;;
N)
BOOTTIME=$OPTARG
--
2.23.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled
2019-09-24 19:08 [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot Petr Lautrbach
@ 2019-09-24 19:08 ` Petr Lautrbach
2019-09-26 12:54 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2019-09-24 19:08 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 678fca40..ab0848ff 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -313,8 +313,8 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- # Force full relabel if / does not have a label on it
- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
+ # Force full relabel if SELinux is not enabled
+ selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
;;
*)
--
2.23.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled
2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
@ 2019-09-26 12:54 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2019-09-26 12:54 UTC (permalink / raw)
To: Petr Lautrbach, selinux
On 9/24/19 3:08 PM, Petr Lautrbach wrote:
> The previous check used getfilecon to check whether / slash contains a label,
> but getfilecon fails only when SELinux is disabled. Therefore it's better to
> check this using selinuxenabled.
Thanks, applied both patches.
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> policycoreutils/scripts/fixfiles | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
> index 678fca40..ab0848ff 100755
> --- a/policycoreutils/scripts/fixfiles
> +++ b/policycoreutils/scripts/fixfiles
> @@ -313,8 +313,8 @@ case "$1" in
> > /.autorelabel || exit $?
> [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
> [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
> - # Force full relabel if / does not have a label on it
> - getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
> + # Force full relabel if SELinux is not enabled
> + selinuxenabled || echo -F > /.autorelabel
> echo "System will relabel on next boot"
> ;;
> *)
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-26 12:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-24 19:08 [PATCH 1/2] policycoreutils/fixfiles: Fix [-B] [-F] onboot Petr Lautrbach
2019-09-24 19:08 ` [PATCH 2/2] policycoreutils/fixfiles: Force full relabel when SELinux is disabled Petr Lautrbach
2019-09-26 12:54 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).