The default relabeling of the system only effects the Type Field in targeted policy. If you switch from targeted to MLS we want the user to pass the -F flag to the relabel. I am changin fixfiles onboot to record the options passed in, into the /.autorelabel command. I need fedora-autorelabel to pass them onto fixfiles restore.
Created attachment 687739 [details] This patch implements the change. We need this to get into RHEL7.
Patch commited to upstream -> http://git.fedorahosted.org/cgit/initscripts.git/commit/?id=a572110dfafc51e5b5eee8fcfd1e0ca59f94202c -> post
This doesn't handle autorelabeling based on the kernel commandline - how should we do this?
I guess we could do autorelabel=-F, and then have the scripts handle this.
-F isn't the default because it touches everything, making it a much more time-consuming operation, correct?
No it is more about hamering MCS/MLS Separation. For example running -F on an openshift machine would force all of the geers to have the same MCS Label, not something we want. Similarly as we move forward with more and more MCS Separation, sandbox, Security Containers, OpenShift, VMs we want to preserve these labels if at all possible.
Created attachment 690391 [details] autorelabel=-F in cmdline So if we want to have an option to pass the -F argument from the kernel cmdline, I would like to propose this patch. What do you think?
I am working on a little more elaborate patch. I think you take whatever the value is and stick it in options. if strstr "$cmdline" 'autorelabel' ; then for i in $cmdline; do if strstr $i autorelabel; then OPTIONS=$i; fi done; else OPTIONS=`cat /.autorelabel` fi /sbin/fixfiles $OPTIONS restore > /dev/null 2>&1
Created attachment 690477 [details] Updated patch to handle command line options from the kernel. I believe this patch will pass any options passed on the command line to autorelabel to the fixfiles restore command. autorelabel autorelabel=-F autorelabel=-B Should all work.
Since there is an eval in your patch, don't you think it can be used to execute some additional command through autorelabel option?
Bill is that a concern? IE If I can get to the kernel boot prompt, I can basically take the machine over. If this is not allowed, then we I can change it to specify individual commands.
I'd just do it via shell commands other than eval i.e.: for item in $(cat /proc/cmdline ) ; do [ ${item} != ${item##autorelabel} ] && autorelabel=${item##autorelabel} done Or something along those lines.
Created attachment 691605 [details] Another pass using Bill's fix but also need to watch for "autorelabel" without the =
Created attachment 691606 [details] This patch goes along with the other patch to run "fixfiles -B onboot" instead of touch /.autorelabel fixfiles -B onboot Will record the date that the command was executed in the .autorelabel file. # fixfiles -B onboot # cat /.autorelabel -N 2013-02-01 Then when the system boots with SELinux enabled, the fixfiles script will search for all files created since this date. (inclusive).
Created attachment 692721 [details] Fixed patch with Bill's suggested approach Your patch looks sane, however the for cycle was there twice. I removed the outer one, so it should be ok now.