Pádraig Brady wrote:
On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
One of if not the most common problem people hit with SELinux is the
mv command, which maintains the file context of the source
destination.
mv /home/dwalsh/index.html /var/www/html/
This blows up on everybody and then the users have no idea why.
I was thinking about adding -Z (--restorecon) to mv and having it
basically do a internal restorecon on the destination.
Then we could suggest people who get burnt by this to:
alias mv="mv -Z"
In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling
the regex, so there should be very little slow down in doing this.
I will work on the patch, if people agree with the idea.
I like the idea. Now cp and install should behave similarly, and they
already have the -Z option.
Upstream cp does not have -Z. I agree that this seems like the right time
to add it.
So I would suggest that cp, mv and install support the -Z option without
an argument, which means auto set the context based on the destination.
The caveat with that is that short options with optional args are very
problematic. So I'd just have the long --context have an optional arg,
while -Z would require an arg.
[in a follow-up]
Thinking further, --context without an option, is not too clear to the
user. They might think they were copying the original context rather than
setting a new context.
Pity the long option wasn't called --new-context. I suppose we could have
that as an alias for --context and deprecate the former?
Sounds reasonable. Adjust the other --context=CTX commands, mkdir, mkfifo,
mknod at the same time.