[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Make mv work better with SELinux.
From: |
Daniel J Walsh |
Subject: |
Re: Make mv work better with SELinux. |
Date: |
Thu, 05 Dec 2013 09:20:31 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/04/2013 07:44 PM, Pádraig Brady wrote:
> On 12/04/2013 07:23 PM, Pádraig Brady wrote:
>> On 12/04/2013 05:49 PM, Daniel J Walsh wrote:
>>> On 12/04/2013 11:11 AM, Pádraig Brady wrote:
>>>> Before I pull the trigger on this release, I'd like to confirm a
>>>> change you did.
>>>
>>>> You changed `cp --context=CTX` to _not fail_ if selinux is disabled.
>>>> I'm thinking that if the old behavior of giving a specific context is
>>>> not supported, then we should fail?
>>> I have no problem if this fails, since the user was so explicit. My
>>> real goal is to allow people to put commands in init scripts and
>>> install post install scripts or any other scripts that do not need to
>>> check if SELinux is enabled.
>>>
>>> cp -Z foobar /etc
>>>
>>> Should always work.
>>>
>>>> Also I'm wondering about the -Z case with selinux disabled. I.E.
>>>> would defaultcon() and/or restorecon() support setting file contexts
>>>> even if selinux is currently disabled? I.E. should we attempt those
>>>> even if selinux is disabled, but suppress any associated
>>>> warnings/errors?
>>>
>>>> thanks, Pádraig.
>>>
>>> When a machine comes back from being disabled it will require a full
>>> relabel to work properly whether or not these commands work.
>>> Theoretically restorecon should work, but defaultcon will not.
>>
>> Great thanks for the info. I'll probably address this with the attached
>> patch.
>
> On further inspection, Red Hat's SELinux patch was different from the
> upstream patch in this regard. I.E. the Red Hat code did _not_ fail with
> `cp --context=...` or `install --context=...`. Now mkdir,mkfifo did fail
> for both code bases, but that's inconsistent, and cp/install would be the
> most used in this regard, so it makes sense to leave things as is and
> consistently _warn_ on selinux disabled systems. For completeness, -Z
> (which doesn't take a specific context) will not warn on selinux disabled
> systems.
>
> thanks, Pádraig.
>
Ok that is fine with me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKgi68ACgkQrlYvE4MpobNqQACgtyDaseQgAvgkhYVtQtmU+CzJ
ZhkAnjqIaM736k/w4zwSUYwbWs3krF8a
=b8fY
-----END PGP SIGNATURE-----