Bug 904279
| Summary: | Patch to allow passing of -F from /.autorelabel to fixfiles restore to force relabeling of the entire system. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
| Component: | initscripts | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | iarlyy, jonathan, lnykryn, notting, plautrba, rvokal, vpavlin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | initscripts-9.45-1.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-03-15 14:41:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
Daniel Walsh
2013-01-25 22:50:36 UTC
Created attachment 687739 [details]
This patch implements the change.
We need this to get into RHEL7.
Patch commited to upstream -> http://git.fedorahosted.org/cgit/initscripts.git/commit/?id=a572110dfafc51e5b5eee8fcfd1e0ca59f94202c -> post This doesn't handle autorelabeling based on the kernel commandline - how should we do this? I guess we could do autorelabel=-F, and then have the scripts handle this. -F isn't the default because it touches everything, making it a much more time-consuming operation, correct? No it is more about hamering MCS/MLS Separation. For example running -F on an openshift machine would force all of the geers to have the same MCS Label, not something we want. Similarly as we move forward with more and more MCS Separation, sandbox, Security Containers, OpenShift, VMs we want to preserve these labels if at all possible. Created attachment 690391 [details]
autorelabel=-F in cmdline
So if we want to have an option to pass the -F argument from the kernel cmdline, I would like to propose this patch. What do you think?
I am working on a little more elaborate patch.
I think you take whatever the value is and stick it in options.
if strstr "$cmdline" 'autorelabel' ; then
for i in $cmdline; do
if strstr $i autorelabel; then OPTIONS=$i; fi
done;
else
OPTIONS=`cat /.autorelabel`
fi
/sbin/fixfiles $OPTIONS restore > /dev/null 2>&1
Created attachment 690477 [details]
Updated patch to handle command line options from the kernel.
I believe this patch will pass any options passed on the command line to autorelabel to the fixfiles restore command.
autorelabel
autorelabel=-F
autorelabel=-B
Should all work.
Since there is an eval in your patch, don't you think it can be used to execute some additional command through autorelabel option? Bill is that a concern? IE If I can get to the kernel boot prompt, I can basically take the machine over. If this is not allowed, then we I can change it to specify individual commands. I'd just do it via shell commands other than eval i.e.:
for item in $(cat /proc/cmdline ) ; do
[ ${item} != ${item##autorelabel} ] && autorelabel=${item##autorelabel}
done
Or something along those lines.
Created attachment 691605 [details]
Another pass using Bill's fix but also need to watch for "autorelabel" without the =
Created attachment 691606 [details]
This patch goes along with the other patch to run "fixfiles -B onboot" instead of touch /.autorelabel
fixfiles -B onboot
Will record the date that the command was executed in the .autorelabel file.
# fixfiles -B onboot
# cat /.autorelabel
-N 2013-02-01
Then when the system boots with SELinux enabled, the fixfiles script will search for all files created since this date. (inclusive).
Created attachment 692721 [details]
Fixed patch with Bill's suggested approach
Your patch looks sane, however the for cycle was there twice. I removed the outer one, so it should be ok now.
|