[kexec-tools/f19] kdumpctl: add selinux relabel when service startup
Baoquan He
baoquan at fedoraproject.org
Thu Jun 13 05:13:37 UTC 2013
commit c2361881c72e484601859266c2e7b8c74178bffa
Author: dyoung at redhat.com <dyoung at redhat.com>
Date: Sat Jun 8 14:22:31 2013 +0800
kdumpctl: add selinux relabel when service startup
Dracut root fs is always mounted, but it's not guaranteed to success
because we are in crash/kdump context. So selinux policy can not only
depends on chroot load_policy.
Per discussion with Vivek and Selinux people, relabel kdump files
when the service restart.
Currently only below cases are considerd:
1. target mounted in 1st kernel
2. target mounted as rw, if user mount it as 'ro' they will have to
relabel the files by themselves.
3. save path is not masked, this means if /var/crash is mount to another
disk which is different from dump target it will not visible to user
so user need manually relabel them.
4. only local filesystem based targets.
Tested on F19 machine.
Tested local fs dump and network dump along with different save path
to address above mentioned cases.
Vivek: use function name is_dump_target_configured
use getfattr -m "security.selinux" instead of ".*"
Daniel: use restorecon instead of chcon.
dyoung: keep minix in local fs list since it has not been deperacated yet.
Vivek: wrap is_dump_target_configured checking in function path_to_be_relabeled
dyoung: use awk instead of cut to print config value for different
space delimeters
dyoung: mute df error message: `df $_mnt/$_path 2>/dev/null`
For nfs restorecon, since it will be in 3.11 kernel, we can add it when it's
ok in Fedora.
Signed-off-by: Dave Young <dyoung at redhat.com>
Acked-by: Vivek Goyal <vgoyal at redhat.com>
kdumpctl | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 70 insertions(+), 0 deletions(-)
---
diff --git a/kdumpctl b/kdumpctl
index fad323c..36e969f 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -378,6 +378,73 @@ function save_raw()
return 0
}
+get_save_path() {
+ local _save_path=$(grep "^path" /etc/kdump.conf|awk '{print $2}')
+ if [ -z "$_save_path" ]; then
+ _save_path="/var/crash"
+ fi
+
+ echo $_save_path
+}
+
+is_dump_target_configured() {
+ local _target
+
+ _target=$(egrep "^ext[234]|^xfs|^btrfs|^minix|^raw|^ssh|^nfs" /etc/kdump.conf)
+
+ [ -n "$_target" ]
+}
+
+local_fs_dump_target()
+{
+ local _target
+
+ _target=$(egrep "^ext[234]|^xfs|^btrfs|^minix" /etc/kdump.conf)
+ if [ $? -eq 0 ]; then
+ echo $_target|awk '{print $2}'
+ fi
+}
+
+path_to_be_relabeled() {
+ local _path _target _mnt="/" _rmnt
+
+ if is_dump_target_configured; then
+ _target=$(local_fs_dump_target)
+ if [[ -n "$_target" ]]; then
+ _mnt=$(findmnt -k -f -n -r -o TARGET $_target)
+ if [ -z "$_mnt" ]; then
+ return
+ fi
+ else
+ return
+ fi
+ fi
+
+ _path=$(get_save_path)
+ # if $_path is masked by other mount, we will not relabel it.
+ _rmnt=$(df $_mnt/$_path 2>/dev/null | tail -1 | awk '{ print $NF }')
+ if [ "$_rmnt" == "$_mnt" ]; then
+ echo $_mnt/$_path
+ fi
+}
+
+selinux_relabel()
+{
+ local _path _i _attr
+
+ _path=$(path_to_be_relabeled)
+ if [ -z "$_path" ] || ! [ -d "$_path" ] ; then
+ return
+ fi
+
+ for _i in $(find $_path); do
+ _attr=$(getfattr -m "security.selinux" $_i 2>/dev/null)
+ if [ -z "$_attr" ]; then
+ restorecon $_i;
+ fi
+ done
+}
+
function start()
{
check_config
@@ -386,6 +453,9 @@ function start()
return 1
fi
+ if sestatus 2>/dev/null | grep -q "SELinux status.*enabled"; then
+ selinux_relabel
+ fi
save_raw
if [ $? -ne 0 ]; then
echo "Starting kdump: [FAILED]"
More information about the scm-commits
mailing list