blob: dd34b3a85e60d76306144c1dd29364bc833e2939 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
#!/bin/bash
# SELinux ALPM hook
# Relabel installed files after an install or an update
# Define a function to print an error mesage and exit
die() {
echo >&2 "$@"
exit 1
}
# Verify that the hook is running with / as current working directory
if [ "$(pwd)" != '/' ]; then
die 'Hook is being executed outside of root directory. Aborting.'
fi
# Do not do anything if SELinux is disabled
if sestatus | grep '^SELinux status:\s*disabled' > /dev/null; then
exit 0
fi
# Read package files from stdin, as restorecon may error out on any non-existing file
echo 'Relabeling package files...'
while read -r FILE; do
if [ -e "$FILE" ] || [ -L "$FILE" ] ; then
# Transmit existing files to restorecon
printf '%s\0' "$FILE"
else
# Only show a warning when a file does not exist as this is not fatal
echo >&2 "Ugh, an installed file does not exist: $FILE"
fi
done | xargs -0 /usr/bin/restorecon -F -T0 || die "Error while relabeling files"
# The install hooks of packages create files which got labelled with the wrong SELinux user
# (e.g. sysadm_u instead of system_u). Relabel all these files too.
# Check the order of this list with: sed -n '/^GEN_DIRS=/,/^)/{/^ /p}' |LANG=C sort -c
echo 'Relabeling generated directories...'
GEN_DIRS=(
'/boot/' # linux:99-linux.hook
'/etc/ca-certificates/extracted/' # ca-certificates-utils:update-ca-trust.hook
'/etc/gconf/' # gconf:gconf-install.hook
'/etc/ld.so.cache' # glibc install: ldconfig -r .
'/etc/pacman.d/gnupg/' # archlinux-keyring install: pacman-key --populate archlinux
'/etc/ssl/certs/' # ca-certificates-utils:update-ca-trust.hook
'/etc/systemd/user/' # gnupg install: install units in /etc/systemd/user/sockets.target.wants
'/etc/texmf/ls-R' # texlive-bin install: mktexlsr
'/etc/udev/hwdb.bin' # systemd:udev-hwdb.hook
'/etc/unbound/trusted-key.key' # unbound:unbound-key.hook
'/usr/lib/gdk-pixbuf-*/*/loaders.cache' # gdk-pixbuf2:gdk-pixbuf-query-loaders.hook
'/usr/lib/ghc-*/package.conf.d/' # ghc:ghc-register.hook, ghc:ghc-unregister.hook
'/usr/lib/gio/modules/' # glib2:gio-querymodules.hook
'/usr/lib/graphviz/' # graphviz install: dot -c
'/usr/lib/gtk-2.0/' # gtk2:gtk-query-immodules-2.0.hook
'/usr/lib/gtk-3.0/' # gtk3:gtk-query-immodules-3.0.hook
'/usr/lib/locale/locale-archive' # glibc install: locale-gen
'/usr/lib/modules/' # dkms:70-dkms-install.hook
'/usr/lib/vlc/plugins/plugins.dat' # vlc:update-vlc-plugin-cache.hook
'/usr/lib32/gdk-pixbuf-*/*/loaders.cache' # lib32-gdk-pixbuf2 install: gdk-pixbuf-query-loaders-32 --update-cache
'/usr/lib32/gio/modules/' # lib32-glib2:gio-querymodules-32.hook
'/usr/lib32/gtk-3.0/' # lib32-gtk3:gtk-query-immodules-3.0-32.hook
'/usr/share/.mono/certs' # mono install: cert-sync /etc/ssl/certs/ca-certificates.crt
'/usr/share/applications/mimeinfo.cache' # desktop-file-utils:update-desktop-database.hook
'/usr/share/doc/ghc/html/libraries/' # ghc:ghc-rebuild-doc-index.hook
'/usr/share/fonts/' # xorg-mkfontdir:xorg-mkfontdir.hook
'/usr/share/glib-2.0/schemas/' # glib2:glib-compile-schemes.hook
'/usr/share/icons/' # gtk-update-icon-cache:gtk-update-icon-cache.hook
'/usr/share/info/dir' # texinfo:texinfo-install.hook
'/usr/share/keepass/' # keepass install
'/usr/share/mime/' # shared-mime-info:update-mime-database.hook
'/usr/share/texmf*/ls-R' # texlive-bin:mktexlsr.hook
'/usr/share/vim/vimfiles/doc/tags' # vim-runtime:vimdoc.hook
'/var/cache/fontconfig/' # fontconfig:fontconfig.hook
'/var/cache/ldconfig/' # glibc install: ldconfig -r .
'/var/cache/man/' # man-db timer
'/var/cache/pacman/' # pacman
'/var/lib/dkms/' # dkms:70-dkms-install.hook
'/var/lib/pacman/' # pacman
'/var/lib/systemd/catalog/database' # systemd install: journalctl --update-catalog
'/var/lib/texmf/' # texlive-bin:mktexlsr.hook
)
# Do NOT put quotes around the array, so that wildcards get expanded
# shellcheck disable=SC2068
for DIR in ${GEN_DIRS[@]}; do
# Only relabel directories which exist
if [ -e "$DIR" ]; then
/usr/bin/restorecon -RF -T0 "$DIR" || die "Error while relabeling generated directories"
fi
done
|