[Rpm-maint] [PATCH 13/18] Relabel files using restorecon

Steve Lawrence slawrence at tresys.com
Wed Dec 23 20:57:33 UTC 2009


If policy installation is postponed due to missing dependencies, it is
possible that file contexts have changed after files have been put on the
system. In this case, relabel all files using restorecon.

If restorecon fails, let the user know that files may be mislabeled.
Additionally, restorecon fails to execute in chroots because of the
missing selinuxfs, but does not return an error code. In these cases,
do not execute restorecon and let the user know files may be mislabeled.
---
 configure.ac      |    1 +
 lib/transaction.c |   54 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 macros.in         |    1 +
 3 files changed, 55 insertions(+), 1 deletions(-)

diff --git a/configure.ac b/configure.ac
index 47c2b82..3ff28a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -140,6 +140,7 @@ AC_PATH_PROG(__FILE, file, /usr/bin/file, $MYPATH)
 AC_PATH_PROG(__GPG, gpg, /usr/bin/gpg, $MYPATH)
 AC_PATH_PROG(__GREP, grep, /bin/grep, $MYPATH)
 AC_PATH_PROG(__GZIP, gzip, /bin/gzip, $MYPATH)
+AC_PATH_PROG(__RESTORECON, restorecon, /sbin/restorecon, $MYPATH)
 AC_PATH_PROG(__UNZIP, unzip, /usr/bin/unzip, $MYPATH)
 
 AC_PATH_PROG(__ID, id, /usr/bin/id, $MYPATH)
diff --git a/lib/transaction.c b/lib/transaction.c
index 9e6ea28..91182c3 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1134,6 +1134,54 @@ static int runTransScripts(rpmts ts, rpmTag stag)
 }
 
 /*
+ * Execute `restorecon -R /` to relabel the file system
+ * @param ts	rpm transaction set
+ * @return		RPMRC_OK if restorecon ran with no problems, RPMRC_FAIL otherwise
+ */
+static rpmRC rpmtsRelabelFiles(rpmts ts)
+{
+	pid_t pid;
+	int status;
+	const char * rootDir;
+	rpmRC rc = RPMRC_FAIL;
+
+	if (!ts) {
+		return rc;
+	}
+
+	rootDir = rpmtsRootDir(ts);
+	if (rootDir != NULL && !rstreq(rootDir, "/") && *rootDir == '/') {
+		/* relabeling files in a chroot is not supported */
+		goto exit;
+	}
+
+	/* execute restorecon -R / */
+	pid = fork();
+	switch (pid) {
+	case -1:
+		rpmlog(RPMLOG_ERR, "Failed to fork process: %s\n", strerror(errno));
+		goto exit;
+		break;
+	case 0:
+		freopen("/dev/null", "r", stdin);
+		freopen("/dev/null", "w", stdout);
+		freopen("/dev/null", "w", stderr);
+		execl(rpmExpand("%{__restorecon}", NULL), "restorecon", "-R", "/", NULL);
+		exit(1);
+	default:
+		waitpid(pid, &status, 0);
+		if (!WIFEXITED(status) || WEXITSTATUS(status)) {
+			goto exit;
+		}
+	}
+
+	rc = RPMRC_OK;
+
+exit:
+	return rc;
+}
+
+/*
  * Extract and load selinux policy for transaction set
  * @param ts	Transaction set
  * @return	RPMRC_OK on success, rpmRC error code otherwise
@@ -1698,7 +1746,11 @@ int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet)
 		chdir(rpmtsCurrDir(ts));
 	}
 
-	rpmtsLoadPolicy(ts);
+	if (rpmtsLoadPolicy(ts) == RPMRC_OK) {
+		if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsRelabelFiles(ts) != RPMRC_OK) {
+			rpmlog(RPMLOG_WARNING, "Failed to relabel files after installing policy. Some files may be mislabeled.\n");
+		}
+	}
     }
 
     /* Finish up... */
diff --git a/macros.in b/macros.in
index c7c6564..eee35d0 100644
--- a/macros.in
+++ b/macros.in
@@ -56,6 +56,7 @@
 %__patch		@__PATCH@
 %__perl			@__PERL@
 %__python		@__PYTHON@
+%__restorecon		@__RESTORECON@
 %__rm			@__RM@
 %__rsh			@__RSH@
 %__sed			@__SED@
-- 
1.6.0.6



More information about the Rpm-maint mailing list