[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Make mv work better with SELinux.
|
From: |
Daniel J Walsh |
|
Subject: |
Re: Make mv work better with SELinux. |
|
Date: |
Tue, 09 Oct 2012 09:48:29 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120918 Thunderbird/15.0.1 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/09/2012 08:54 AM, Jim Meyering wrote:
> Pádraig Brady wrote:
>
>> On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> One of if not the most common problem people hit with SELinux is the
>>> mv command, which maintains the file context of the source
>>> destination.
>>>
>>> mv /home/dwalsh/index.html /var/www/html/
>>>
>>> This blows up on everybody and then the users have no idea why.
>>>
>>> I was thinking about adding -Z (--restorecon) to mv and having it
>>> basically do a internal restorecon on the destination.
>>>
>>> Then we could suggest people who get burnt by this to:
>>>
>>> alias mv="mv -Z"
>>>
>>> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling
>>> the regex, so there should be very little slow down in doing this.
>>>
>>> I will work on the patch, if people agree with the idea.
>>
>> I like the idea. Now cp and install should behave similarly, and they
>> already have the -Z option.
>
> Upstream cp does not have -Z. I agree that this seems like the right time
> to add it.
>
>> So I would suggest that cp, mv and install support the -Z option without
>> an argument, which means auto set the context based on the destination.
>>
>> The caveat with that is that short options with optional args are very
>> problematic. So I'd just have the long --context have an optional arg,
>> while -Z would require an arg.
>
> [in a follow-up]
>> Thinking further, --context without an option, is not too clear to the
>> user. They might think they were copying the original context rather than
>> setting a new context.
>
>> Pity the long option wasn't called --new-context. I suppose we could have
>> that as an alias for --context and deprecate the former?
>
> Sounds reasonable. Adjust the other --context=CTX commands, mkdir, mkfifo,
> mknod at the same time.
>
The sad thing is I would bet that no one ever uses any of these options.
Since they all involve people understanding what the default labeling should
be. Allowing users to just say when I create a new file, make sure the tool
does the right thing as far as labeling, would be a huge advance. I really do
not care what option you guys choose to use.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlB0Ky0ACgkQrlYvE4MpobN/2QCgld4aXuw/jme30u8x5GXQSuTw
avYAn2FXPsN6yXEgWmeFc30W7KUQQPeg
=GKaL
-----END PGP SIGNATURE-----
- Make mv work better with SELinux., Daniel J Walsh, 2012/10/08
- Re: Make mv work better with SELinux., Pádraig Brady, 2012/10/08
- Re: Make mv work better with SELinux., Pádraig Brady, 2012/10/08
- Re: Make mv work better with SELinux., Jim Meyering, 2012/10/09
- Re: Make mv work better with SELinux., Daniel J Walsh, 2012/10/16
- Re: Make mv work better with SELinux., Jim Meyering, 2012/10/16
- Re: Make mv work better with SELinux., Daniel J Walsh, 2012/10/19
- Re: Make mv work better with SELinux., Jim Meyering, 2012/10/20
- Make coretutils work better with SELinux., Daniel J Walsh, 2012/10/30
- Re: Make coretutils work better with SELinux., Pádraig Brady, 2012/10/31