And another fixfiles comment... (was Re: fixfile.cron added.

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jul 5 19:51:49 UTC 2004


On Thu, 01 Jul 2004 08:14:09 EDT, Daniel J Walsh <dwalsh at redhat.com>  said:
> Todays policycoreutils has a new cron job, fixfiles.cron, that will run 
> in /etc/cron.daily.   This script will run a check on the file system on 

Currently, fixfiles does some interesting grepping through the mounts
to only work on R/W mounts.  This has 2 problems when run on a system
that has many filesystems mounted with some combo of ro/nosuid/nodev/noexec:

1) It's possible for the sysadmin to not realize that fixfiles isn't
relabelling a filesystem because it's R/O (note that this problem is
shared by the 'make relabel' target in /etc/selinux/*/src/policy/Makefile).

2) If we're only checking, we should do R/O filesystems as well - the fact
that they're R/O when the cronjob runs doesn't mean that they weren't R/W
and picked up some bad labels at some previous time.

Lightly tested patch:

--- /sbin/fixfiles.dist	2004-06-30 13:40:47.000000000 -0400
+++ /sbin/fixfiles	2004-07-05 04:53:24.000000000 -0400
@@ -30,9 +30,12 @@ rpmFlag=0
 rpmFiles=""
 outfileFlag=0
 OUTFILES=""
+logfileFlag=0
 LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX`  || exit 1
 SETFILES=/usr/sbin/setfiles
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';`
+FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
+FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
+FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 SELINUXTYPE="targeted"
 
 if [ -e /etc/selinux/config ]; then
@@ -60,7 +63,11 @@ if [ ! -z "$1" ]; then
 	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
     done
 else
-    ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+    if [ "x$FILESYSTEMSRO" != "x" ]; then
+        echo "Warning: Skipping the following R/O filesystems:"
+        echo "$FILESYSTEMSRO"
+    fi
+    ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
 fi
 }
 
@@ -73,7 +80,11 @@ if [ ! -z "$1" ]; then
 	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
     done
 else
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+    if [ "x$FILESYSTEMSRO" != "x" ]; then
+        echo "Warning: Skipping the following R/O filesystems:"
+        echo "$FILESYSTEMSRO"
+    fi
+    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
 fi
 }
 relabelCheck() {

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20040705/38a663c5/attachment.bin 


More information about the selinux mailing list