113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#!/bin/bash 213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# fixfiles 313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Script to restore labels on a SELinux box 513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 62910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh# Copyright (C) 2004-2013 Red Hat, Inc. 713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Authors: Dan Walsh <dwalsh@redhat.com> 813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# This program is free software; you can redistribute it and/or modify 1013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# it under the terms of the GNU General Public License as published by 1113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# the Free Software Foundation; either version 2 of the License, or 1213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# (at your option) any later version. 1313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 1413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# This program is distributed in the hope that it will be useful, 1513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# but WITHOUT ANY WARRANTY; without even the implied warranty of 1613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# GNU General Public License for more details. 1813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 1913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# You should have received a copy of the GNU General Public License 2013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# along with this program; if not, write to the Free Software 2113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 2213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 231da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# 241da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# seclabel support was added in 2.6.30. This function will return a positive 251da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# number if the current kernel version is greater than 2.6.30, a negative 261da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# number if the current is less than 2.6.30 and 0 if they are the same. 271da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# 281da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisfunction useseclabel { 292910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh VER=`uname -r` 302910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh SUP=2.6.30 312910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ 322910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ 332910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' 341da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris} 351da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris 361da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# 371da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# Get all mount points that support labeling. Use the 'seclabel' field if it 381da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# is available. Else fall back to known fs types which likely support xattrs 391da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# and we know were not context mounted. 401da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris# 411da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisget_all_labeled_mounts() { 421da72eea266fdee3603204423ab1d9e68ff05f79Eric ParisFS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`" 431da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisfor i in $FS; do 441da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris if [ `useseclabel` -ge 0 ] 451da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris then 461da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i 471da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris else 481da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i 491da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris fi 501da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisdone 511da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris} 521da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris 531da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisget_rw_labeled_mounts() { 541da72eea266fdee3603204423ab1d9e68ff05f79Eric ParisFS=`get_all_labeled_mounts | sort | uniq` 551da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisfor i in $FS; do 561da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i 571da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisdone 581da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris} 591da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris 601da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisget_ro_labeled_mounts() { 611da72eea266fdee3603204423ab1d9e68ff05f79Eric ParisFS=`get_all_labeled_mounts | sort | uniq` 621da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisfor i in $FS; do 631da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i 641da72eea266fdee3603204423ab1d9e68ff05f79Eric Parisdone 651da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris} 661da72eea266fdee3603204423ab1d9e68ff05f79Eric Paris 675bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# 682910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh# Get the default label returned from the kernel for a file with a lable the 695bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# kernel does not understand 705bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# 715bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshget_undefined_type() { 725bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` 735bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh cat ${SELINUXMNT}/initial_contexts/unlabeled | secon -t 745bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh} 755bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh 765bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# 775bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# Get the default label for a file without a label 785bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh# 795bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshget_unlabeled_type() { 805bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` 812910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh cat $SELINUXMNT/initial_contexts/file | secon -t 825bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh} 835bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walsh 84275560b2a380a5f34041fd4569a38791f25aa195Eric Parisexclude_dirs_from_relabelling() { 85275560b2a380a5f34041fd4569a38791f25aa195Eric Paris exclude_from_relabelling= 86275560b2a380a5f34041fd4569a38791f25aa195Eric Paris if [ -e /etc/selinux/fixfiles_exclude_dirs ] 87275560b2a380a5f34041fd4569a38791f25aa195Eric Paris then 882910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh while read i 892910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh do 902910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh # skip blank line and comment 912910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh # skip not absolute path 922910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh # skip not directory 932910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh [ -z "${i}" ] && continue 942910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue 952910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh [[ ! "${i}" =~ ^/.* ]] && continue 962910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh [[ ! -d "${i}" ]] && continue 972910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh exclude_from_relabelling="$exclude_from_relabelling -e $i" 982910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh logit "skipping the directory $i" 992910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh done < /etc/selinux/fixfiles_exclude_dirs 100275560b2a380a5f34041fd4569a38791f25aa195Eric Paris fi 101275560b2a380a5f34041fd4569a38791f25aa195Eric Paris echo "$exclude_from_relabelling" 102275560b2a380a5f34041fd4569a38791f25aa195Eric Paris} 103275560b2a380a5f34041fd4569a38791f25aa195Eric Paris 104275560b2a380a5f34041fd4569a38791f25aa195Eric Parisexclude_dirs() { 105275560b2a380a5f34041fd4569a38791f25aa195Eric Paris exclude= 1061730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do 1072910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh [ -e $i ] && exclude="$exclude -e $i"; 108275560b2a380a5f34041fd4569a38791f25aa195Eric Paris done 109275560b2a380a5f34041fd4569a38791f25aa195Eric Paris exclude="$exclude `exclude_dirs_from_relabelling`" 110275560b2a380a5f34041fd4569a38791f25aa195Eric Paris echo "$exclude" 111275560b2a380a5f34041fd4569a38791f25aa195Eric Paris} 112275560b2a380a5f34041fd4569a38791f25aa195Eric Paris 11313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 11413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Set global Variables 11513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 11613cd4c8960688af11ad23b4c946149015c80d54Joshua BrindlefullFlag=0 1171730f7ca361a72b87b2da51c96659ef17530b204Dan WalshBOOTTIME="" 118960d6ee879f34df84e90394c32a606d6d1be48aeJohn ReiserVERBOSE="-p" 11913cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleFORCEFLAG="" 12013cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleDIRS="" 12113cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleRPMILES="" 12213cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleLOGFILE=`tty` 12313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ $? != 0 ]; then 12413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle LOGFILE="/dev/null" 12513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 12613cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleLOGGER=/usr/sbin/logger 12713cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleSETFILES=/sbin/setfiles 12813cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleRESTORECON=/sbin/restorecon 1291da72eea266fdee3603204423ab1d9e68ff05f79Eric ParisFILESYSTEMSRW=`get_rw_labeled_mounts` 1301da72eea266fdee3603204423ab1d9e68ff05f79Eric ParisFILESYSTEMSRO=`get_ro_labeled_mounts` 13113cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleFILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" 13213cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleSELINUXTYPE="targeted" 13313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ -e /etc/selinux/config ]; then 13413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle . /etc/selinux/config 1352910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts 13613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleelse 13713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle FC=/etc/security/selinux/file_contexts 13813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 13913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Log to either syslog or a LOGFILE 14213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 14313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlelogit () { 14413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ -n $LOGFILE ]; then 14513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle echo $1 >> $LOGFILE 14613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 14713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 14813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 1491730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh# Find files newer then the passed in date and fix the label 1501730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh# 1511730f7ca361a72b87b2da51c96659ef17530b204Dan Walshnewer() { 1521730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh DATE=$1 1531730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh for m in `echo $FILESYSTEMSRW`; do 1542910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f - 1551730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh done; 1561730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh 1571730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh} 1581730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh 1591730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh# 1602910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh# Compare PREVious File Context to currently installed File Context and 16113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# run restorecon on all files affected by the differences. 16213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 16313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlediff_filecontext() { 16413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ -f ${PREFC} -a -x /usr/bin/diff ]; then 16513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` 16613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle test -z "$TEMPFILE" && exit 16713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX` 16813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE} 16913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sed -r -e 's,:s0, ,g' $FC | sort -u | \ 17013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /usr/bin/diff -b ${PREFCTEMPFILE} - | \ 17113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle grep '^[<>]'|cut -c3-| grep ^/ | \ 17213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ 17313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sed -r -e 's,[[:blank:]].*,,g' \ 1742910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ 17513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle -e 's|([/[:alnum:]])\?|{\1,}|g' \ 1762910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh -e 's|\?.*|*|g' \ 1772910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh -e 's|\{.*|*|g' \ 17813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle -e 's|\(.*|*|g' \ 17913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle -e 's|\[.*|*|g' \ 1802910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh -e 's|\.\*.*|*|g' \ 1812910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh -e 's|\.\+.*|*|g' | \ 18213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle # These two sorts need to be separate commands \ 18313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sort -u | \ 18413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sort -d | \ 1852910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh while read pattern ; \ 18613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \ 1872910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh echo "$pattern"; \ 1882910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh case "$pattern" in *"*") \ 1892910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; 1902910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh esac; \ 1912910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh fi; \ 1922910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh done | \ 193960d6ee879f34df84e90394c32a606d6d1be48aeJohn Reiser ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ 19413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rm -f ${TEMPFILE} ${PREFCTEMPFILE} 19513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 19613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 19713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 1982910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh# Log all Read Only file systems 19913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 20013cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleLogReadOnly() { 20113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ ! -z "$FILESYSTEMSRO" ]; then 20213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle logit "Warning: Skipping the following R/O filesystems:" 20313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle logit "$FILESYSTEMSRO" 20413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 20513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 20613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerpmlist() { 20813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' 20913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr 21013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 21113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2122910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh# 21313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# restore 21413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# if called with -n will only check file context 21513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 21613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerestore () { 2172910ca2185650f52efecd7b91b5bfc27e685e349Dan WalshOPTION=$1 2182910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshshift 2192910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh 22013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ ! -z "$PREFC" ]; then 22113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle diff_filecontext $* 22213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle exit $? 22313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 2241730f7ca361a72b87b2da51c96659ef17530b204Dan Walshif [ ! -z "$BOOTTIME" ]; then 2251730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh newer $BOOTTIME 2261730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh exit $? 2271730f7ca361a72b87b2da51c96659ef17530b204Dan Walshfi 22870849975f81d2494fb996efe09c50a5bc63f7b33Daniel J Walsh[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon 22913cd4c8960688af11ad23b4c946149015c80d54Joshua BrindleLogReadOnly 230275560b2a380a5f34041fd4569a38791f25aa195Eric Paris# 2312910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshexclude_dirs="`exclude_dirs_from_relabelling $OPTION`" 232275560b2a380a5f34041fd4569a38791f25aa195Eric Parisif [ -n "${exclude_dirs}" ] 233275560b2a380a5f34041fd4569a38791f25aa195Eric Paristhen 234275560b2a380a5f34041fd4569a38791f25aa195Eric Paris TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` 235275560b2a380a5f34041fd4569a38791f25aa195Eric Paris test -z "$TEMPFCFILE" && exit 236275560b2a380a5f34041fd4569a38791f25aa195Eric Paris /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit 2372910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh tmpdirs=${tempdirs//-e/} 2382910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh for p in ${tmpdirs} 239275560b2a380a5f34041fd4569a38791f25aa195Eric Paris do 240275560b2a380a5f34041fd4569a38791f25aa195Eric Paris p="${p%/}" 241275560b2a380a5f34041fd4569a38791f25aa195Eric Paris p1="${p}(/.*)? -- <<none>>" 242275560b2a380a5f34041fd4569a38791f25aa195Eric Paris echo "${p1}" >> $TEMPFCFILE 2432910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh logit "skipping the directory ${p}" 244275560b2a380a5f34041fd4569a38791f25aa195Eric Paris done 245275560b2a380a5f34041fd4569a38791f25aa195Eric ParisFC=$TEMPFCFILE 246275560b2a380a5f34041fd4569a38791f25aa195Eric Parisfi 2472910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshif [ ! -z "$RPMFILES" ]; then 2482910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do 2492910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE 2502910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh done 2512910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh exit $? 2522910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshfi 2532910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshif [ ! -z "$FILEPATH" ]; then 2542910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE 2552910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh return 2562910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshfi 257c124df61aee24e182d33156ec465a101c01fc07aManoj Srivastavaif [ -n "${FILESYSTEMSRW}" ]; then 2582910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" 2592910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE 260c124df61aee24e182d33156ec465a101c01fc07aManoj Srivastavaelse 261c124df61aee24e182d33156ec465a101c01fc07aManoj Srivastava echo >&2 "fixfiles: No suitable file systems found" 262c124df61aee24e182d33156ec465a101c01fc07aManoj Srivastavafi 2632910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshif [ ${OPTION} != "Relabel" ]; then 2642910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh return 2652910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshfi 2662910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshecho "Cleaning up labels on /tmp" 267275560b2a380a5f34041fd4569a38791f25aa195Eric Parisrm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE 268275560b2a380a5f34041fd4569a38791f25aa195Eric Paris 2695bd734dd7395a2f6c87546b8e7159b02544405f9Dan WalshUNDEFINED=`get_undefined_type` || exit $? 2705bd734dd7395a2f6c87546b8e7159b02544405f9Dan WalshUNLABELED=`get_unlabeled_type` || exit $? 2715bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshfind /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete 2725bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshfind /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; 2735bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshfind /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; 2745bd734dd7395a2f6c87546b8e7159b02544405f9Dan Walshfind /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; 2752910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; 2762910ca2185650f52efecd7b91b5bfc27e685e349Dan Walshexit 0 27713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 27813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 27913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefullrelabel() { 28013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle logit "Cleaning out /tmp" 2816084f72aafc8c7f70ef972e950dcc73777594c32Eric Paris find /tmp/ -mindepth 1 -delete 28213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle LogReadOnly 2832910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh restore Relabel 28413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 28513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlerelabel() { 28713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if [ ! -z "$RPMFILES" ]; then 2882910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh restore Relabel 28913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fi 29013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if [ $fullFlag == 1 ]; then 29213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fullrelabel 29313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fi 29413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 29513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle echo -n " 2962910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh Files in the /tmp directory may be labeled incorrectly, this command 2972910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh can remove all files in /tmp. If you choose to remove files from /tmp, 29813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle a reboot will be required after completion. 2992910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh 30013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle Do you wish to clean out the /tmp directory [N]? " 30113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle read answer 3022910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh if [ "$answer" = y -o "$answer" = Y ]; then 30313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fullrelabel 30413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else 3052910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh restore Relabel 30613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fi 30713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 30813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 30913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleprocess() { 31013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Make sure they specified one of the three valid commands 31213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 31313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecase "$1" in 3142910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh restore) restore Relabel;; 3152910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh check) VERBOSE="-v"; restore Check -n;; 3162910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh verify) restore Verify -n -o -;; 31713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle relabel) relabel;; 31813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle onboot) 3191730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh > /.autorelabel 3201730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel 3211730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel 3221730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh # Force full relabel if / does not have a label on it 3231730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel 32413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle echo "System will relabel on next boot" 32513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 32613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *) 32713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle usage 32813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle exit 1 32913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleesac 33013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 33113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleusage() { 3322910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh echo $""" 3332910ca2185650f52efecd7b91b5bfc27e685e349Dan WalshUsage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] 33470849975f81d2494fb996efe09c50a5bc63f7b33Daniel J Walshor 3352910ca2185650f52efecd7b91b5bfc27e685e349Dan WalshUsage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } 33670849975f81d2494fb996efe09c50a5bc63f7b33Daniel J Walshor 3372910ca2185650f52efecd7b91b5bfc27e685e349Dan WalshUsage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } 33870849975f81d2494fb996efe09c50a5bc63f7b33Daniel J Walshor 3392910ca2185650f52efecd7b91b5bfc27e685e349Dan WalshUsage: $0 [-F] [-B] onboot 34070849975f81d2494fb996efe09c50a5bc63f7b33Daniel J Walsh""" 34113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 34213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 34313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ $# = 0 ]; then 34413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle usage 34513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle exit 1 34613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 34713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 34813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# See how we were called. 3491730f7ca361a72b87b2da51c96659ef17530b204Dan Walshwhile getopts "N:BC:FfR:l:v" i; do 35013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case "$i" in 3511730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh B) 3521730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh BOOTTIME=`/bin/who -b | awk '{print $3}'` 3531730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh ;; 35413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle f) 35513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fullFlag=1 35613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 357960d6ee879f34df84e90394c32a606d6d1be48aeJohn Reiser v) 358960d6ee879f34df84e90394c32a606d6d1be48aeJohn Reiser VERBOSE="-v" 359960d6ee879f34df84e90394c32a606d6d1be48aeJohn Reiser ;; 3602910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh R) 36113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle RPMFILES=$OPTARG 36213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 3632910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh l) 36413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle LOGFILE=$OPTARG 36513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 3662910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh C) 36713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle PREFC=$OPTARG 36813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 36913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle F) 37013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle FORCEFLAG="-F" 37113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ;; 3721730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh N) 3731730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh BOOTTIME=$OPTARG 3741730f7ca361a72b87b2da51c96659ef17530b204Dan Walsh ;; 37513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *) 37613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle usage 37713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle exit 1 37813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleesac 37913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindledone 38013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Move out processed options from arguments 38113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleshift $(( OPTIND - 1 )) 38213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 38313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Check for the command 38413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlecommand=$1 38513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ -z $command ]; then 38613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle usage 38713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 38813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 38913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# Move out command from arguments 39013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleshift 39113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# check if they specified both DIRS and RPMFILES 39413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle# 39513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleif [ ! -z "$RPMFILES" ]; then 39713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle process $command 39813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if [ $# -gt 0 ]; then 39913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle usage 40013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fi 40113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleelse 40213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if [ -z "$1" ]; then 40313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle process $command 40413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else 4052910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh while [ -n "$1" ]; do 40613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle FILEPATH=$1 4072910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh process $command 40813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle shift 4092910ca2185650f52efecd7b91b5bfc27e685e349Dan Walsh done 41013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle fi 41113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlefi 41213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleexit $? 413