And another fixfiles comment... (was Re: fixfile.cron added.

Daniel J Walsh dwalsh at redhat.com
Thu Jul 8 15:45:47 UTC 2004


Valdis.Kletnieks at vt.edu wrote:

>On Thu, 01 Jul 2004 08:14:09 EDT, Daniel J Walsh <dwalsh at redhat.com>  said:
>  
>
>>Todays policycoreutils has a new cron job, fixfiles.cron, that will run 
>>in /etc/cron.daily.   This script will run a check on the file system on 
>>    
>>
>
>Currently, fixfiles does some interesting grepping through the mounts
>to only work on R/W mounts.  This has 2 problems when run on a system
>that has many filesystems mounted with some combo of ro/nosuid/nodev/noexec:
>
>1) It's possible for the sysadmin to not realize that fixfiles isn't
>relabelling a filesystem because it's R/O (note that this problem is
>shared by the 'make relabel' target in /etc/selinux/*/src/policy/Makefile).
>
>2) If we're only checking, we should do R/O filesystems as well - the fact
>that they're R/O when the cronjob runs doesn't mean that they weren't R/W
>and picked up some bad labels at some previous time.
>
>Lightly tested patch:
>
>--- /sbin/fixfiles.dist	2004-06-30 13:40:47.000000000 -0400
>+++ /sbin/fixfiles	2004-07-05 04:53:24.000000000 -0400
>@@ -30,9 +30,12 @@ rpmFlag=0
> rpmFiles=""
> outfileFlag=0
> OUTFILES=""
>+logfileFlag=0
> LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX`  || exit 1
> SETFILES=/usr/sbin/setfiles
>-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*rw/{print $3}';`
>+FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
>+FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
>+FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
> SELINUXTYPE="targeted"
> 
> if [ -e /etc/selinux/config ]; then
>@@ -60,7 +63,11 @@ if [ ! -z "$1" ]; then
> 	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
>     done
> else
>-    ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
>+    if [ "x$FILESYSTEMSRO" != "x" ]; then
>+        echo "Warning: Skipping the following R/O filesystems:"
>+        echo "$FILESYSTEMSRO"
>+    fi
>+    ${SETFILES} ${OUTFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
> fi
> }
> 
>@@ -73,7 +80,11 @@ if [ ! -z "$1" ]; then
> 	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
>     done
> else
>-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
>+    if [ "x$FILESYSTEMSRO" != "x" ]; then
>+        echo "Warning: Skipping the following R/O filesystems:"
>+        echo "$FILESYSTEMSRO"
>+    fi
>+    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
> fi
> }
> relabelCheck() {
>  
>
Added to fixfiles.

>  
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>




More information about the selinux mailing list