Fixfiles restore is called by auditrelabel, and was happening early in
the boot process, before the syslog system was up and running. A bug
in systemd was causing relabels to take forever, while it waited for
the syslog's to complete. This was fixed, but I still see no reason
to write thousands/millions of lines to syslog on a badly mislabled
machine and wanted this featured turned off.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
- improves the manual page for both setfiles and restorecon (formatting
including alphabetical re-ordering of options, undocumented options,
references and a few cosmetic changes);
- de-hardcodes a couple of constants in the source files and makes a
dynamic use of them to create the manual pages after the compilation
and prior to the installation: more specifically the constants are the
number of errors for the setfiles' validation process abort condition
and the sensitivity of the progress meter for both programs (uses
external programs grep and awk);
- improves the usage message for both programs and introduces a -h
(aliased with currently existing -?) option where not already
available;
- print out the usage message for restorecon when it is called without
arguments;
- white-space/tab conversion to get proper indentation towards the end
of the main source file.
[eparis add .gitignore]
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
The following patch aims to improve the manual page (section 8) for the
"genhomedircon" script (policycoreutils).
- remove probably redundant GNU licence notice;
- try to further clarify the functionality made available by the
"genhomedircon" script as well as all the configurable options that
control its execution and affect its behavior;
- extend the references section (SEE ALSO).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Only run setfiles if we have a R/W filesystem
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Move everything into /usr/* and just put links from /*. The whole /usr
thing hasn't really worked in all situations for a long long time. Just
accept that fact and move along.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch removes /root from the excluded dirs.
This also adds /var/lib/BackupPC to list of directories to ignore
labeling. Mainly because this directory tends to be Huge and causes a
huge spike in the amount of time it takes to relabel. Especially if
there is a relabel caused by a policy update.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We had a number of places where fixfiles would search for or set hard
coded types. If policy used something other than tmp_t var_t file_t or
unlabeled_t we would go wrong. This patch does 2 things. It uses the
kernel provided selinuxfs interfaces to determine the label on unlabeled
and unknown files and it uses the --reference option with chcon to set
new labels.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The type of a filesystem (ext*, btrfs, etc) really doesn't matter when
it comes to the ability to set labels. Stop trying to be smart and just
call restorecon. It will either work or it won't and out heuristic
isn't helping.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling. Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We do this so we can eliminate foolish avcs about restorecon trying to
write to a random directory. We allow apps to communicate with fds
globably. So this allows the access no AVC's I am happy
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In the old fixfiles we had to make sure we only attempted to relabel
files that were on file systems that supported extended attributes.
With the new restorecon, we no longer need this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
clean up /var/run and /var/lib/debug just like we do for /tmp and
/var/tmp since they can easily get unlabeled files.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We cannot reasonably relabel pipes and sockets in /tmp to tmp_t so just
delete them instead of trying to put and unuable label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fixfiles uses a find command then than pipes that to rm -f. Just use
the find delete predicate instead of causing all of those extra calls to
rm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix the page to point to the the seusers file, not the seuser file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux pythons applications should not allow the user to change the
sys.path
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Email: dwalsh@redhat.com
Subject: chcat fixes
Date: Thu, 21 May 2009 08:13:26 -0400
On 05/20/2009 04:05 PM, Chad Sellers wrote:
> On 5/20/09 3:00 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote:
>
>> Expansion of categores is still broken. Here is a patch to fix.
>>
> This message appears to be missing a patch.
>
> Thanks,
> Chad
>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add btrfs to fixfiles.
Date: Wed, 20 May 2009 15:02:33 -0400
Hopefully the last time we will ever need to update. Once patch gets
out with kernel support to tell me which file systems support xattr, we
can remove this hack.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400
Multiple patches to policycoreutils.
First added /root/.ssh and /root/.ssh/* to allow people to place keys
in /root directory and have them labeled by restorcond
<snipdue to previously ack'd patch>
Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux
---
Also have fixfiles operate recursively when in RPM mode, per:
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400
If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory
Signed-off-by: Chad Sellers <csellers@tresys.com>
