Fix upgrade script.

- Init DBs of cynara and security-manager.
- Backup and restore cynara default and ADMIN buckets.

Change-Id: I5de11f23366908721da4bf827f146e0e265183d8

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e12d4611b288c94cd791aa116d00ce23ee6b6466..744bfba63db49abff1a170ee6c0403107d59673e 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,7 +16,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/l
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/201.security_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
-INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/710.security_enabled_blacklist_upgrade.sh DESTINATION /usr/share/upgrade/scripts)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/upgrade/710.security_restore_policy.sh DESTINATION /usr/share/upgrade/scripts)
 
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/onlycap DESTINATION /etc/smack)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/smack/smack_default_labeling DESTINATION /usr/share/security-config)

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 81208314ee3494a2a478d2c0a6e98269322b8ecd..c5420225a9e67bcab3c27961cf80dfeff00dae47 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -103,7 +103,7 @@ rm /opt/share/security-config/test/capability_test/*
 %attr(755,root,root) /opt/share/security-config/test/smack_basic_test/*
 %attr(755,root,root) /opt/share/security-config/test/security_mount_option_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
-%attr(755,root,root) /usr/share/upgrade/scripts/710.security_enabled_blacklist_upgrade.sh
+%attr(755,root,root) /usr/share/upgrade/scripts/710.security_restore_policy.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post
 

diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index 47b460242ec7f7dbf88dc7ba09d4928d75d6ef43..744ce0ab68117b833313c201ac4d015b67d3afca 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -2,13 +2,53 @@
 
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 
-/usr/sbin/cynara-db-migration upgrade -f 0.0.0 -t 0.14.10
-/usr/share/security-manager/db/update.sh
+CYNARA_DIR=/opt/var/cynara
+SECURITY_MANAGER_DIR=/opt/var/security-manager
 
-# start cynara service before security-manager policy update
-systemctl start cynara
+# backup cynara default and admin buckets
+CYNARA_DEFAULT_DB_BACKUP=/opt/data/CYNARA_DEFAULT_DB_BACKUP
+cyad --list-policies="" --all | grep "User::Pkg::" > $CYNARA_DEFAULT_DB_BACKUP
+CYNARA_ADMIN_DB_BACKUP=/opt/data/CYNARA_ADMIN_DB_BACKUP
+cyad --list-policies=ADMIN --all | grep "User::Pkg::" > $CYNARA_ADMIN_DB_BACKUP
+
+# make Cynara and Security-manager directories/files in rw partition
+rm -r $SECURITY_MANAGER_DIR
+mkdir $SECURITY_MANAGER_DIR
+mkdir $SECURITY_MANAGER_DIR/owner
+mkdir $SECURITY_MANAGER_DIR/rules
+mkdir $SECURITY_MANAGER_DIR/rules-merged
+touch $SECURITY_MANAGER_DIR/apps-labels
+touch $SECURITY_MANAGER_DIR/owner/apps-labels
+touch $SECURITY_MANAGER_DIR/rules-merged/rules.merged
+chmod 711 $SECURITY_MANAGER_DIR
+chmod 711 $SECURITY_MANAGER_DIR/owner
+chmod 700 $SECURITY_MANAGER_DIR/rules
+chmod 700 $SECURITY_MANAGER_DIR/rules-merged
+chmod 444 $SECURITY_MANAGER_DIR/apps-labels
+chmod 444 $SECURITY_MANAGER_DIR/owner/apps-labels
+chmod 644 $SECURITY_MANAGER_DIR/rules-merged/rules.merged
+
+# init Cynara and Security-manager database
+# security-manager DB
+SECURITY_MANAGER_DB=/opt/dbspace/.security-manager.db
+SECURITY_MANAGER_DB_JOURNAL=/opt/dbspace/.security-manager.db-journal
+rm $SECURITY_MANAGER_DB
+rm $SECURITY_MANAGER_DB_JOURNAL
+touch $SECURITY_MANAGER_DB
+touch $SECURITY_MANAGER_DB_JOURNAL
 
-/usr/share/security-manager/policy/update.sh
+chmod 600 $SECURITY_MANAGER_DB
+chmod 600 $SECURITY_MANAGER_DB_JOURNAL
+chown root:root $SECURITY_MANAGER_DB
+chown root:root $SECURITY_MANAGER_DB_JOURNAL
+chsmack -a System $SECURITY_MANAGER_DB
+chsmack -a System $SECURITY_MANAGER_DB_JOURNAL
+
+/usr/share/security-manager/db/update.sh
+
+# cynara DB
+rm /var/cynara/db/*
+/usr/sbin/cynara-db-migration install -t 0.14.10
 /usr/bin/security-manager-policy-reload
 
 # Create privacy database
@@ -30,5 +70,6 @@ chsmack -a System::Shared $PRIVILEGE_CHECHER_PRIVACY_DB_JOURNAL
 /usr/share/privilege-manager/policy_db_updater.sh
 
 # start security-manager
+systemctl start cynara
 systemctl start security-manager
 

diff --git a/upgrade/710.security_restore_policy.sh b/upgrade/710.security_restore_policy.sh
new file mode 100644 (file)
index 0000000..e7b29db
--- /dev/null
+++ b/upgrade/710.security_restore_policy.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+CYNARA_DEFAULT_DB_BACKUP=/opt/data/CYNARA_DEFAULT_DB_BACKUP
+CYNARA_ADMIN_DB_BACKUP=/opt/data/CYNARA_ADMIN_DB_BACKUP
+
+# restore cynara default and admin buckets
+
+if [ "cat $CYNARA_DEFAULT_DB_BACKUP" != "" ]
+then
+       cat $CYNARA_DEFAULT_DB_BACKUP | cyad --set-policy --bucket="" --bulk=-
+fi
+
+if [ "cat $CYNARA_ADMIN_DB_BACKUP" != "" ]
+then
+       cat $CYNARA_ADMIN_DB_BACKUP | cyad --set-policy --bucket=ADMIN --bulk=-
+fi
+
+rm $CYNARA_DEFAULT_DB_BACKUP
+rm $CYNARA_ADMIN_DB_BACKUP