[kexec-tools/f19] kdumpctl: add selinux relabel when service startup

[Baoquan He]

commit c2361881c72e484601859266c2e7b8c74178bffa
Author: dyoung at redhat.com <dyoung at redhat.com>
Date:   Sat Jun 8 14:22:31 2013 +0800

    kdumpctl: add selinux relabel when service startup
    
    Dracut root fs is always mounted, but it's not guaranteed to success
    because we are in crash/kdump context. So selinux policy can not only
    depends on chroot load_policy.
    
    Per discussion with Vivek and Selinux people, relabel kdump files
    when the service restart.
    
    Currently only below cases are considerd:
    1. target mounted in 1st kernel
    2. target mounted as rw, if user mount it as 'ro' they will have to
       relabel the files by themselves.
    3. save path is not masked, this means if /var/crash is mount to another
       disk which is different from dump target it will not visible to user
       so user need manually relabel them.
    4. only local filesystem based targets.
    
    Tested on F19 machine.
    Tested local fs dump and network dump along with different save path
    to address above mentioned cases.
    
    Vivek: use function name is_dump_target_configured
           use getfattr -m "security.selinux" instead of ".*"
    Daniel: use restorecon instead of chcon.
    dyoung: keep minix in local fs list since it has not been deperacated yet.
    Vivek: wrap is_dump_target_configured checking in function path_to_be_relabeled
    dyoung: use awk instead of cut to print config value for different
            space delimeters
    dyoung: mute df error message: `df $_mnt/$_path 2>/dev/null`
    
    For nfs restorecon, since it will be in 3.11 kernel, we can add it when it's
    ok in Fedora.
    
    Signed-off-by: Dave Young <dyoung at redhat.com>
    Acked-by: Vivek Goyal <vgoyal at redhat.com>

 kdumpctl |   70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 70 insertions(+), 0 deletions(-)
---
diff --git a/kdumpctl b/kdumpctl
index fad323c..36e969f 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -378,6 +378,73 @@ function save_raw()
 	return 0
 }
 
+get_save_path() {
+	local _save_path=$(grep "^path" /etc/kdump.conf|awk '{print $2}')
+	if [ -z "$_save_path" ]; then
+		_save_path="/var/crash"
+	fi
+
+	echo $_save_path
+}
+
+is_dump_target_configured() {
+    local _target
+
+    _target=$(egrep "^ext[234]|^xfs|^btrfs|^minix|^raw|^ssh|^nfs" /etc/kdump.conf)
+
+     [ -n "$_target" ]
+}
+
+local_fs_dump_target()
+{
+	local _target
+
+	_target=$(egrep "^ext[234]|^xfs|^btrfs|^minix" /etc/kdump.conf)
+	if [ $? -eq 0 ]; then
+		echo $_target|awk '{print $2}'
+	fi
+}
+
+path_to_be_relabeled() {
+	local _path _target _mnt="/" _rmnt
+
+	if is_dump_target_configured; then
+		_target=$(local_fs_dump_target)
+		if [[ -n "$_target" ]]; then
+			_mnt=$(findmnt -k -f -n -r -o TARGET $_target)
+			if [ -z "$_mnt" ]; then
+				return
+			fi
+		else
+			return
+		fi
+	fi
+
+	_path=$(get_save_path)
+	# if $_path is masked by other mount, we will not relabel it.
+	_rmnt=$(df $_mnt/$_path 2>/dev/null | tail -1 | awk '{ print $NF }')
+	if [ "$_rmnt" == "$_mnt" ]; then
+		echo $_mnt/$_path
+	fi
+}
+
+selinux_relabel()
+{
+	local _path _i _attr
+
+	_path=$(path_to_be_relabeled)
+	if [ -z "$_path" ] || ! [ -d "$_path" ] ; then
+		return
+	fi
+
+	for _i in $(find $_path); do
+		_attr=$(getfattr -m "security.selinux" $_i 2>/dev/null)
+		if [ -z "$_attr" ]; then
+			restorecon $_i;
+		fi
+	done
+}
+
 function start()
 {
 	check_config
@@ -386,6 +453,9 @@ function start()
 		return 1
 	fi
 
+	if sestatus 2>/dev/null | grep -q "SELinux status.*enabled"; then
+		selinux_relabel
+	fi
 	save_raw
 	if [ $? -ne 0 ]; then
 		echo "Starting kdump: [FAILED]"