diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.7/restorecon/restorecon.c --- nsapolicycoreutils/restorecon/restorecon.c 2005-01-25 10:32:01.000000000 -0500 +++ policycoreutils-1.21.7/restorecon/restorecon.c 2005-01-28 11:38:00.000000000 -0500 @@ -188,7 +188,7 @@ fprintf(stderr, "%s: error while labeling files under %s\n", progname, buf); - exit(1); + errors++; } } else diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.7/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500 +++ policycoreutils-1.21.7/scripts/fixfiles 2005-01-28 15:21:23.000000000 -0500 @@ -37,10 +37,12 @@ SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config + FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX` - cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null + cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null else - FC=/etc/security/selinux/file_contexts + FILE_CONTEXT=/etc/security/selinux/file_contexts + FC=${FILE_CONTEXT} fi cleanup() { @@ -60,7 +62,23 @@ echo $1 >> $LOGFILE fi } - +# +# Compare PREVious File Context to currently installed File Context and +# run restorecon on all files affected by the differences. +# +diff_filecontext() { +if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX` + test -z "$TEMPFILE" && exit + /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \ + sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \ + -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \ + while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \ + while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \ + ${RESTORECON} $2 -v -f -R - + rm -f ${TEMPFILE} +fi +} # # Log all Read Only file systems # @@ -80,6 +98,10 @@ # if called with -n will only check file context # restore () { +if [ ! -z "$PREFC" ]; then + diff_filecontext $1 + exit $? +fi if [ ! -z "$RPMFILES" ]; then for i in `echo $RPMFILES | sed 's/,/ /g'`; do rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE @@ -128,7 +150,7 @@ usage() { echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " echo or - echo $"Usage: $0 -R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] { check | restore }" + echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }" } if [ $# = 0 ]; then @@ -137,7 +159,7 @@ fi # See how we were called. -while getopts "Fo:R:l:" i; do +while getopts "C:Fo:R:l:" i; do case "$i" in F) fullFlag=1 @@ -151,6 +173,9 @@ l) LOGFILE=$OPTARG ;; + C) + PREFC=$OPTARG + ;; *) usage exit 1 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-1.21.7/scripts/fixfiles.8 --- nsapolicycoreutils/scripts/fixfiles.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.21.7/scripts/fixfiles.8 2005-01-28 11:47:18.000000000 -0500 @@ -0,0 +1,64 @@ +.TH "fixfiles" "8" "2002031409" "" "" +.SH "NAME" +fixfiles \- fix file security contexts. + +.SH "SYNOPSIS" +.B fixfiles [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel }" + +.B fixfiles [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir/file] ... ] + +.SH "DESCRIPTION" +This manual page describes the +.BR fixfiles +script. +.P +This script is primarily used to correct the security context +database (extended attributes) on filesystems. +.P +It can also be run at any time to relabel when adding support for +new policy, or just check whether the file contexts are all +as you expect. By default it will relabel all mounted ext2, ext3, xfs and +reiser file systems as long as they do not have a security context mount +option. You can use the -R flag to use rpmpackages as an alternative. + +.SH "OPTIONS" +.TP +.B -l logfile +Save the output to the specified logfile +.TP +.B -o outputfile +Save all files that have file_context that differs from the default, in outputfile. + +.TP +.B -F +Don't prompt for removal of /tmp directory. + +.TP +.B -R rpmpackagename[,rpmpackagename...] +Use the rpm database to discover all files within the specified packages and restore the file contexts. (-a will get all files in the RPM database). +.TP +.B -C PREVIOUS_FILECONTEXT +Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files. + +.SH "ARGUMENTS" +One of: +.TP +.B check +show any incorrect file context labels but do not change them. +.TP +.B restore +change any incorrect file context labels. +.TP +.B relabel +Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file. +.TP +.B [[dir/file] ... ] +List of files or directories trees that you wish to check file context on. + +.SH "AUTHOR" +This man page was written by Richard Hally . +The script was written by Dan Walsh + +.SH "SEE ALSO" +.BR setfiles (8), restorecon(8) + Binary files nsapolicycoreutils/scripts/fixfiles.8.gz and policycoreutils-1.21.7/scripts/fixfiles.8.gz differ