[Rpm-maint] [PATCH 13/19] Relabel files using restorecon

Steve Lawrence slawrence at tresys.com
Tue Feb 2 20:25:16 UTC 2010


If policy installation is postponed due to missing dependencies, it is
possible that file contexts have changed after files have been put on the
system. In this case, relabel all files using restorecon.

If restorecon fails, let the user know that files may be mislabeled.
Additionally, restorecon fails to execute in chroots because of the
missing selinuxfs, but does not return an error code. In these cases,
do not execute restorecon and let the user know files may be mislabeled.
---
 configure.ac      |    1 +
 lib/transaction.c |   87 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 macros.in         |    1 +
 3 files changed, 88 insertions(+), 1 deletions(-)

diff --git a/configure.ac b/configure.ac
index ec0673a..34feb63 100644
--- a/configure.ac
+++ b/configure.ac
@@ -101,6 +101,7 @@ AC_PATH_PROG(__FILE, file, /usr/bin/file, $MYPATH)
 AC_PATH_PROG(__GPG, gpg, /usr/bin/gpg, $MYPATH)
 AC_PATH_PROG(__GREP, grep, /bin/grep, $MYPATH)
 AC_PATH_PROG(__GZIP, gzip, /bin/gzip, $MYPATH)
+AC_PATH_PROG(__RESTORECON, restorecon, /sbin/restorecon, $MYPATH)
 AC_PATH_PROG(__UNZIP, unzip, /usr/bin/unzip, $MYPATH)
 AC_PATH_PROG(__ID, id, /usr/bin/id, $MYPATH)
 AC_PATH_PROG(__INSTALL, install, /usr/bin/install, $MYPATH)
diff --git a/lib/transaction.c b/lib/transaction.c
index 481e41e..3d25a83 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -9,6 +9,8 @@
 #endif
 
 #include <errno.h>
+#include <sys/types.h>
+#include <sys/wait.h>
 #include <rpm/rpmlib.h>		/* rpmMachineScore, rpmReadPackageFile */
 #include <rpm/rpmmacro.h>	/* XXX for rpmExpand */
 #include <rpm/rpmlog.h>
@@ -1135,6 +1137,85 @@ static int runTransScripts(rpmts ts, rpmTag stag)
 }
 
 /*
+ * Execute `restorecon -R /` to relabel the file system
+ * @param ts	rpm transaction set
+ * @return		RPMRC_OK if restorecon ran with no problems, RPMRC_FAIL otherwise
+ */
+static rpmRC rpmtsRelabelFiles(rpmts ts)
+{
+	rpmRC rc = RPMRC_FAIL;
+#if WITH_SELINUX
+	pid_t pid;
+	int status;
+	const char * rootDir;
+	int dochroot;
+
+	if (!ts) {
+		return rc;
+	}
+
+	/* enter chroot if necessary */
+	rootDir = rpmtsRootDir(ts);
+	dochroot = (rootDir != NULL && !rstreq(rootDir, "/") && *rootDir == '/');
+	if (dochroot) {
+		if (chdir("/") == -1) {
+			rpmlog(RPMLOG_ERR, "Failed to change directory: %s\n", strerror(errno));
+			goto exit;
+		}
+		if (chroot(rootDir) == -1) {
+			rpmlog(RPMLOG_ERR, "Failed to chroot to %s: %s\n", rootDir, strerror(errno));
+			goto exit;
+		}
+	}
+
+	if (!is_selinux_enabled()) {
+		/* restorecon silently fails if selinux is disabled. If this
+		 * is the case, dont even bother executing restorecon */
+		goto exit;
+	}
+
+	/* execute restorecon -R / */
+	pid = fork();
+	switch (pid) {
+	case -1:
+		rpmlog(RPMLOG_ERR, "Failed to fork process: %s\n", strerror(errno));
+		goto exit;
+		break;
+	case 0:
+		if (!rpmIsDebug()) {
+			freopen("/dev/null", "r", stdin);
+			freopen("/dev/null", "w", stdout);
+			freopen("/dev/null", "w", stderr);
+		}
+		execl(rpmExpand("%{__restorecon}", NULL), "restorecon", "-R", "/", NULL);
+		exit(1);
+	default:
+		waitpid(pid, &status, 0);
+		if (!WIFEXITED(status) || WEXITSTATUS(status)) {
+			goto exit;
+		}
+	}
+#endif				/* WITH_SELINUX */
+
+	rc = RPMRC_OK;
+
+exit:
+
+#if WITH_SELINUX
+	/* exit chroot */
+	if (dochroot) {
+		if (chroot(".") == -1) {
+			rpmlog(RPMLOG_ERR, "Failed to exit chroot: %s\n", strerror(errno));
+			rc = RPMRC_FAIL;
+		}
+		chdir(rpmtsCurrDir(ts));
+	}
+#endif				/* WITH_SELINUX */
+
+	return rc;
+}
+
+/*
  * Extract and load selinux policy for transaction set
  * @param ts	Transaction set
  * @return	RPMRC_OK on success, rpmRC error code otherwise
@@ -1706,7 +1787,11 @@ int rpmtsRun(rpmts ts, rpmps okProbs, rpmprobFilterFlags ignoreSet)
 		chdir(rpmtsCurrDir(ts));
 	}
 
-	rpmtsLoadPolicy(ts);
+	if (rpmtsLoadPolicy(ts) == RPMRC_OK) {
+		if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS) && rpmtsRelabelFiles(ts) != RPMRC_OK) {
+			rpmlog(RPMLOG_WARNING, "Failed to relabel files after installing policy. Some files may be mislabeled.\n");
+		}
+	}
     }
 #endif				/* WITH_SELINUX */
 
diff --git a/macros.in b/macros.in
index be98ba0..3be717d 100644
--- a/macros.in
+++ b/macros.in
@@ -57,6 +57,7 @@
 %__patch		@__PATCH@
 %__perl			@__PERL@
 %__python		@__PYTHON@
+%__restorecon		@__RESTORECON@
 %__rm			@__RM@
 %__rsh			@__RSH@
 %__sed			@__SED@
-- 
1.6.2.5



More information about the Rpm-maint mailing list