diff --git a/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch b/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch new file mode 100644 index 0000000..1dc4320 --- /dev/null +++ b/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch @@ -0,0 +1,108 @@ +From d3f8b2c3cd9e044aba909f63a2ca78f53db11fe0 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 2 Jul 2019 17:11:32 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot + +Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" +command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes +`fixfiles -B onboot` to show usage instead of updating /.autorelabel + +The code is restructured to handle -B for different modes correctly. + +Fixes: + # fixfiles -B onboot + Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel + ... + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 53d28c7b..9dd44213 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -112,7 +112,7 @@ VERBOSE="-p" + FORCEFLAG="" + RPMFILES="" + PREFC="" +-RESTORE_MODE="DEFAULT" ++RESTORE_MODE="" + SETFILES=/sbin/setfiles + RESTORECON=/sbin/restorecon + FILESYSTEMSRW=`get_rw_labeled_mounts` +@@ -214,16 +214,17 @@ restore () { + OPTION=$1 + shift + +-case "$RESTORE_MODE" in +- PREFC) +- diff_filecontext $* +- return +- ;; +- BOOTTIME) ++# [-B | -N time ] ++if [ -z "$BOOTTIME" ]; then + newer $BOOTTIME $* + return +- ;; +-esac ++fi ++ ++# -C PREVIOUS_FILECONTEXT ++if [ "$RESTORE_MODE" == PREFC ]; then ++ diff_filecontext $* ++ return ++fi + + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon + +@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in + FILEPATH) + ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" + ;; +- DEFAULT) ++ *) + if [ -n "${FILESYSTEMSRW}" ]; then + LogReadOnly + echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" +@@ -272,7 +273,7 @@ fullrelabel() { + + + relabel() { +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 + fi +@@ -306,7 +307,7 @@ case "$1" in + verify) restore Verify -n;; + relabel) relabel;; + onboot) +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 + fi +@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then + fi + + set_restore_mode() { +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" ]; then + # can't specify two different modes + usage + exit 1 +@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do + case "$i" in + B) + BOOTTIME=`/bin/who -b | awk '{print $3}'` +- set_restore_mode BOOTTIME ++ set_restore_mode DEFAULT + ;; + N) + BOOTTIME=$OPTARG +-- +2.22.0 + diff --git a/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch b/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch new file mode 100644 index 0000000..7f98d56 --- /dev/null +++ b/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch @@ -0,0 +1,33 @@ +From 105eeda97b0f35773bc32222d0802de4d0b5a8e9 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 2 Jul 2019 17:12:07 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is + disabled + +The previous check used getfilecon to check whether / slash contains a label, +but getfilecon fails only when SELinux is disabled. Therefore it's better to +check this using selinuxenabled. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 9dd44213..a9d27d13 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -314,8 +314,8 @@ case "$1" in + > /.autorelabel || exit $? + [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel + [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel +- # Force full relabel if / does not have a label on it +- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel ++ # Force full relabel if SELinux is not enabled ++ selinuxenabled || echo -F > /.autorelabel + echo "System will relabel on next boot" + ;; + *) +-- +2.22.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index 4104067..5747be1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -59,6 +59,8 @@ Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch +Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch +Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138