From 55fb6920ca81a626e02abc4af81fd2b12371fc41 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 11 Apr 2011 14:34:01 -0400 Subject: [PATCH] Add Elia Pinto patches to allow user to specify directories to ignore --- policycoreutils-rhat.patch | 67 +++++++++++++++++++++++++++++++++----- policycoreutils.spec | 10 ++++-- 2 files changed, 67 insertions(+), 10 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index e49a441..357171f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -3194,10 +3194,10 @@ index 3f9efba..7c6d75a 100644 +/etc/selinux/{SELINUXTYPE}/seusers diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index ae519fc..0890811 100755 +index ae519fc..7d21ea3 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles -@@ -21,6 +21,25 @@ +@@ -21,6 +21,44 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # @@ -3210,12 +3210,31 @@ index ae519fc..0890811 100755 + grep --silent "$i ".*seclabel /proc/self/mounts && echo $i +done +} -+ ++exclude_dirs_from_relabelling() { ++ exclude_from_relabelling= ++ if [ -e /etc/selinux/fixfiles_exclude_dirs ] ++ then ++ while read i ++ do ++ # skip blank line and comment ++ # skip not absolute path ++ # skip not directory ++ [ -z "${i}" ] && continue ++ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue ++ [[ ! "${i}" =~ ^/.* ]] && continue ++ [[ ! -d "${i}" ]] && continue ++ exclude_from_relabelling="$exclude_from_relabelling -e $i" ++ logit "skipping the directory $i from relabelling" ++ done < /etc/selinux/fixfiles_exclude_dirs ++ fi ++ echo "$exclude_from_relabelling" ++} +exclude_dirs() { + exclude= + for i in /var/lib/BackupPC /home /tmp /dev; do + [ -e $i ] && exclude="$exclude -e $i"; + done ++ exclude="$exclude `exclude_dirs_from_relabelling`" + echo "$exclude" +} + @@ -3223,7 +3242,7 @@ index ae519fc..0890811 100755 # Set global Variables # fullFlag=0 -@@ -35,9 +54,7 @@ SYSLOGFLAG="-l" +@@ -35,9 +73,7 @@ SYSLOGFLAG="-l" LOGGER=/usr/sbin/logger SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon @@ -3234,7 +3253,7 @@ index ae519fc..0890811 100755 SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config -@@ -87,23 +104,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then +@@ -87,23 +123,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then esac; \ fi; \ done | \ @@ -3259,7 +3278,7 @@ index ae519fc..0890811 100755 rpmlist() { rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' -@@ -121,23 +125,16 @@ if [ ! -z "$PREFC" ]; then +@@ -121,24 +144,34 @@ if [ ! -z "$PREFC" ]; then fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do @@ -3282,11 +3301,30 @@ index ae519fc..0890811 100755 [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon -LogReadOnly -${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE +-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* ++# ++exclude_dirs="`exclude_dirs_from_relabelling`" ++if [ -n "${exclude_dirs}" ] ++then ++ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` ++ test -z "$TEMPFCFILE" && exit ++ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit ++ exclude_dirs=${exclude_dirs//-e/} ++ for p in ${exclude_dirs} ++ do ++ p="${p%/}" ++ p1="${p}(/.*)? -- <>" ++ echo "${p1}" >> $TEMPFCFILE ++ logit "skipping the directory ${p} from relabelling" ++ done ++FC=$TEMPFCFILE ++fi +${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE - rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* ++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -@@ -146,8 +143,7 @@ exit $? + exit $? +@@ -146,8 +179,7 @@ exit $? fullrelabel() { logit "Cleaning out /tmp" @@ -3296,6 +3334,19 @@ index ae519fc..0890811 100755 restore } +diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 +index dfe8aa9..0b4cbaa 100644 +--- a/policycoreutils/scripts/fixfiles.8 ++++ b/policycoreutils/scripts/fixfiles.8 +@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all + as you expect. By default it will relabel all mounted ext2, ext3, xfs and + jfs file systems as long as they do not have a security context mount + option. You can use the -R flag to use rpmpackages as an alternative. ++The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories ++excluded from relabelling. + .P + .B fixfiles onboot + will setup the machine to relabel on the next reboot. diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 new file mode 100644 index 0000000..6331660 diff --git a/policycoreutils.spec b/policycoreutils.spec index d6390f7..5d4e780 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.85 -Release: 28%{?dist} +Release: 30%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -163,7 +163,7 @@ Requires(post): /sbin/chkconfig BuildRequires: libcap-ng-devel %description sandbox -The policycoreutils-python package contains the scripts to create graphical sandboxes +The policycoreutils-sandbox package contains the scripts to create graphical sandboxes %files sandbox %defattr(-,root,root,-) @@ -331,6 +331,12 @@ fi exit 0 %changelog +* Mon Apr 11 2011 Dan Walsh 2.0.85-30 +- Add Elia Pinto patches to allow user to specify directories to ignore + +* Tue Apr 5 2011 Dan Walsh 2.0.85-29 +- Fix policycoreutils-sandbox description + * Tue Mar 29 2011 Dan Walsh 2.0.85-28 - rsynccmd should run outside of execcon