Add Elia Pinto patches to allow user to specify directories to ignore

This commit is contained in:
Dan Walsh 2011-04-11 14:34:01 -04:00
parent 78134e652a
commit 55fb6920ca
2 changed files with 67 additions and 10 deletions

View File

@ -3194,10 +3194,10 @@ index 3f9efba..7c6d75a 100644
+/etc/selinux/{SELINUXTYPE}/seusers
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index ae519fc..0890811 100755
index ae519fc..7d21ea3 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -21,6 +21,25 @@
@@ -21,6 +21,44 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
@ -3210,12 +3210,31 @@ index ae519fc..0890811 100755
+ grep --silent "$i ".*seclabel /proc/self/mounts && echo $i
+done
+}
+
+exclude_dirs_from_relabelling() {
+ exclude_from_relabelling=
+ if [ -e /etc/selinux/fixfiles_exclude_dirs ]
+ then
+ while read i
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${i}" =~ ^/.* ]] && continue
+ [[ ! -d "${i}" ]] && continue
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ logit "skipping the directory $i from relabelling"
+ done < /etc/selinux/fixfiles_exclude_dirs
+ fi
+ echo "$exclude_from_relabelling"
+}
+exclude_dirs() {
+ exclude=
+ for i in /var/lib/BackupPC /home /tmp /dev; do
+ [ -e $i ] && exclude="$exclude -e $i";
+ done
+ exclude="$exclude `exclude_dirs_from_relabelling`"
+ echo "$exclude"
+}
+
@ -3223,7 +3242,7 @@ index ae519fc..0890811 100755
# Set global Variables
#
fullFlag=0
@@ -35,9 +54,7 @@ SYSLOGFLAG="-l"
@@ -35,9 +73,7 @@ SYSLOGFLAG="-l"
LOGGER=/usr/sbin/logger
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
@ -3234,7 +3253,7 @@ index ae519fc..0890811 100755
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
@@ -87,23 +104,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
@@ -87,23 +123,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
esac; \
fi; \
done | \
@ -3259,7 +3278,7 @@ index ae519fc..0890811 100755
rpmlist() {
rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
@@ -121,23 +125,16 @@ if [ ! -z "$PREFC" ]; then
@@ -121,24 +144,34 @@ if [ ! -z "$PREFC" ]; then
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@ -3282,11 +3301,30 @@ index ae519fc..0890811 100755
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
-LogReadOnly
-${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+#
+exclude_dirs="`exclude_dirs_from_relabelling`"
+if [ -n "${exclude_dirs}" ]
+then
+ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+ test -z "$TEMPFCFILE" && exit
+ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+ exclude_dirs=${exclude_dirs//-e/}
+ for p in ${exclude_dirs}
+ do
+ p="${p%/}"
+ p1="${p}(/.*)? -- <<none>>"
+ echo "${p1}" >> $TEMPFCFILE
+ logit "skipping the directory ${p} from relabelling"
+ done
+FC=$TEMPFCFILE
+fi
+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE
rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
@@ -146,8 +143,7 @@ exit $?
exit $?
@@ -146,8 +179,7 @@ exit $?
fullrelabel() {
logit "Cleaning out /tmp"
@ -3296,6 +3334,19 @@ index ae519fc..0890811 100755
restore
}
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index dfe8aa9..0b4cbaa 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
+excluded from relabelling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
new file mode 100644
index 0000000..6331660

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
Release: 28%{?dist}
Release: 30%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -163,7 +163,7 @@ Requires(post): /sbin/chkconfig
BuildRequires: libcap-ng-devel
%description sandbox
The policycoreutils-python package contains the scripts to create graphical sandboxes
The policycoreutils-sandbox package contains the scripts to create graphical sandboxes
%files sandbox
%defattr(-,root,root,-)
@ -331,6 +331,12 @@ fi
exit 0
%changelog
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-30
- Add Elia Pinto patches to allow user to specify directories to ignore
* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-29
- Fix policycoreutils-sandbox description
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
- rsynccmd should run outside of execcon