Fix the following ambiguous output (from booting with init=/bin/sh):
# /usr/sbin/fixfiles onboot
/usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system
/usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system
System will relabel on next boot
System will not
On 09/05/17 19:28, James Carter wrote:
We normally add a "signed-off-by" line to patches. Can I add
"Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>" to
your patches?
Jim
Please do. Sorry, it looks like I forgot about that after the first few
I
* `fixfiles -B relabel` or `fixfiles -C previouscontext relabel` would
skip the code that handles e.g. `/var/tmp`, which would be run by
`fixfiles relabel`. It would still remove all files in /tmp (subject to
user confirmation). This is confusing, undocumented, and unlikely to
be
This commit allows the use of `set -u` to detect reads of unset variables.
But what I really liked was making the code more explicit about these
modes. I hope that this is easier for a new reader to reason about.
`fixfiles restore` has accumulated five different modes it can run in.
Now use a
It helps see the differences (hopefully there are only intended differences
now!).
---
policycoreutils/scripts/fixfiles | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index cff..0a4 100755
---
DIRS was suspicious because you can't store file names in a normal variable,
and it's not that common to use arrays in bash. It's not actually used.
While we're here, there's another variable which is never used
and should just be removed. (Pointed out by `shellcheck`.
It makes a couple of
This was supposedly fixed in 2009.
http://selinux.fedoraproject.narkive.com/ZskMsNrx/fixfiles-f-option
`-F` was mentioned again in 2013 (commit 2910ca21).
It doesn't look like `-F -C` was fixed though.
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Make sure usage() in fixfiles shows all the current options.
It's printed when there's a user error, so it needs to be
helpful! (Excluding the deprecated option - see below).
manpage:
Remove the deprecated option `-l logfile`.
Add missing space in `restore|[-f] relabel`.
It's not clear why
`fixfiles -R -a` is much less useful than it was made to sound, because -R
now works recursively. Therefore `fixfiles -R -a` relabels every file on
the system, multiple times. On my system it took over 5 times as long as
plain `fixfiles` (which takes about a minute).
---
$ shellcheck fixfiles
...
In fixfiles line 94:
[[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
^-- SC2076: Don't quote rhs of =~, it'll match
literally rather than as a regex.
---
policycoreutils/scripts/fixfiles | 2 +-
1 file
New users may try something like `fixfiles restore -v /dir/file` -
not realizing they are required to use `fixfiles -v restore /dir/file`.
Detect that `restorecon` aborts due to being run on the non-existent file
`-v`, and stop immediately. This will show the error much more clearly,
instead of
The idea is to print a usage error, then terminate with EXIT_FAILURE.
Don't print the usage error twice when run with no command.
Don't try to check for bogus extra arguments _after_
performing a long-running operation... particularly
if that operation terminates the script with EXIT_SUCCESS
setfiles is now run with $exclude_dirs.
We shouldn't need to patch the file contexts as well.
This is fortunate, since the file context patching code was broken
(by the same commit which introduced the redundancy). It takes the
list of directories to exclude from $tempdirs, but $tempdirs is
...and write log messages to standard output.
Some versions of fixfiles in 2004 created a logfile by default.
Apparently they also used `tee` to log to standard output at the same time.
We're also told that the logfile was implemented because there was too
much output generated for use on a tty,
This reverts commit ac7899fc3ad6221e195dd13cdf14b346897314ae,
which is not yet part of an officially tagged release
(or release candidate).
`LOGFILE=/proc/self/fd/1` was wrong.
`LOGFILE=$(tty)` was being relied on in one case (exclude_dirs),
to log messages from a function run specifically with
The usage of exclude_dirs() is non-obvious.
It turns out it is only used by the `-C` mode of fixfiles. The other four
modes use the narrower list generated by exclude_dirs_from_relabelling().
Let's make this distinction more obvious.
(The purpose of the extra exclusions is not clear. E.g.
Move call to logit() outside a function which has its output redirected.
See next commit for explanation.
The logit calls are moved into a new function LogExcluded(), similar to
LogReadOnly(). I don't see a pretty way to resolve this, so I just went
for the most explicit approach I could think
*expands thread
Sorry, I see this has already been addressed.
On 24/04/17 13:06, Alan Jenkins wrote:
On 20/04/17 15:38, Guido Trentalancia wrote:
Remove semanage read and transaction lock files upon releasing
them.
What prevents this sequence?
A release lock
B acquire lock
A unlink lock
On 20/04/17 15:38, Guido Trentalancia wrote:
Remove semanage read and transaction lock files upon releasing
them.
What prevents this sequence?
A release lock
B acquire lock
A unlink lock file
C create lock file
C acquire lock
Signed-off-by: Guido Trentalancia
where there are error messages - the prefix will make them
stand out visually.
Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
---
policycoreutils/setfiles/setfiles.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/setfiles/setfile
https://bugzilla.redhat.com/show_bug.cgi?id=1435894
When output to a non-tty (as caused by the implementation of fixfiles),
stdout is fully buffered. stdout should be flushed before writes to
stderr.
See e.g. https://news.ycombinator.com/item?id=1271015
Signed-off-by: Alan Jenkins
backspace characters on non-TTY outputs.
Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
---
policycoreutils/scripts/fixfiles | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index
I accidently ran `fixfiles "a b"` during testing. Let's fix this too.
Before:
/sbin/fixfiles: line 394: [: a: binary operator expected
Usage: ...
After:
Usage: ...
Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
---
policycoreutils/scrip
/fs/cgroup
/sbin/restorecon: lstat(a b) failed: No such file or directory
Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policyc
s deprecated. This has now been made clear by
> > displaying
> > a message to stderr.
> >
> > The documentation has also been updated to reflect these changes.
> >
> > Reported-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
> > Si
On 24/01/17 19:46, Stephen Smalley wrote:
Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.
Reported-by: Alan Jenkins <alan.christopher.jenk...@gmail.com>
Signed-off-by: S
On 24/01/17 19:39, Stephen Smalley wrote:
Define a logging callback for libselinux so that any informational
or error messages generated by libselinux functions are properly
prefixed with the program name and routed to the proper output stream.
Makes sense.
It's a shame it makes the info
derated lists. (Hmm...)
On 23/01/17 15:09, Stephen Smalley wrote:
>
> On Mon, 2017-01-23 at 14:54 +, Alan Jenkins wrote:
>>
>> On 23/01/2017, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>>
>>> Hi,
>>>
>>> You attempte
ls on /tmp".
3. `function logit` is retained, but the logfile is also written to
outside this function. Implementing support for the system log
would require another function which accepts piped input.
Also see point 1.
Signed-off-by: Alan Jenkins <alan.christopher.jenk...@gmail.co
On 13/01/2017, Stephen Smalley wrote:
> $ touch /tmp/foo
> $ chcon -t etc_t /tmp/foo
> $ restorecon /tmp/foo
> Warning no default label for /tmp/foo
> $ restorecon -R /tmp/foo
> Warning no default label for /tmp/foo
> $ restorecon -R /tmp
Thanks again!
restorecon works as
On 13/01/17 19:56, Alan Jenkins wrote:
On 13/01/17 19:38, Stephen Smalley wrote:
On Fri, 2017-01-13 at 13:29 -0500, Daniel J Walsh wrote:
On 01/13/2017 10:27 AM, Stephen Smalley wrote:
On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote:
On Thu, 2017-01-12 at 23:42 +, Alan Jenkins
On 13/01/17 19:38, Stephen Smalley wrote:
On Fri, 2017-01-13 at 13:29 -0500, Daniel J Walsh wrote:
On 01/13/2017 10:27 AM, Stephen Smalley wrote:
On Fri, 2017-01-13 at 09:48 -0500, Stephen Smalley wrote:
On Thu, 2017-01-12 at 23:42 +, Alan Jenkins wrote:
My main puzzle here[*] is why
wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Sig
33 matches
Mail list logo