Re: Make mv work better with SELinux.

[Pádraig Brady]

On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One of if not the most common problem people hit with SELinux is the mv
> command, which maintains the file context of the source destination.
>
> mv /home/dwalsh/index.html /var/www/html/
>
> This blows up on everybody and then the users have no idea why.
>
> I was thinking about adding -Z (--restorecon) to mv and having it basically do a
> internal restorecon on the destination.
>
> Then we could suggest people who get burnt by this to:
>
> alias mv="mv -Z"
>
> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the
> regex, so there should be very little slow down in doing this.

A question on performance.
So there was a large matchpathcon() performance issue in Fedora 11 time,
where we had a 20x slow down if matchpathcon_init_prefix() wasn't called
https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24

Does calling matchpathcon_init_prefix() still provide benefit on Fedora 18?
More importantly, since the new selinux::restorecon_private() doesn't
call matchpathcon_init_prefix(), will it have the large performance
issues on Fedora <= 17 and other SELinux supporting platforms?

Not a huge issue since install(1) enables setdefaultfilecon() by default,
whereas the new proposal would only enable when -Z is specified.
That's an inconsistency in the patch in this thread actually.
install -Z runs the new restorecon(), while also running the old
setdefaultfilecon(). Seems like we may need to drop the new install -Z
code for now, and possible in future merge restorecon() and setdefaultfilecon()

cheers,
Pádraig.