coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Make mv work better with SELinux.


From: Daniel J Walsh
Subject: Re: Make mv work better with SELinux.
Date: Thu, 05 Dec 2013 09:20:31 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2013 07:44 PM, Pádraig Brady wrote:
> On 12/04/2013 07:23 PM, Pádraig Brady wrote:
>> On 12/04/2013 05:49 PM, Daniel J Walsh wrote:
>>> On 12/04/2013 11:11 AM, Pádraig Brady wrote:
>>>> Before I pull the trigger on this release, I'd like to confirm a
>>>> change you did.
>>> 
>>>> You changed `cp --context=CTX` to _not fail_ if selinux is disabled.
>>>> I'm thinking that if the old behavior of giving a specific context is
>>>> not supported, then we should fail?
>>> I have no problem if this fails, since the user was so explicit.  My
>>> real goal is to allow people to put commands in init scripts and
>>> install post install scripts or any other scripts that do not need to
>>> check if SELinux is enabled.
>>> 
>>> cp -Z foobar /etc
>>> 
>>> Should always work.
>>> 
>>>> Also I'm wondering about the -Z case with selinux disabled. I.E.
>>>> would defaultcon() and/or restorecon() support setting file contexts
>>>> even if selinux is currently disabled? I.E. should we attempt those
>>>> even if selinux is disabled, but suppress any associated
>>>> warnings/errors?
>>> 
>>>> thanks, Pádraig.
>>> 
>>> When a machine comes back from being disabled it will require a full
>>> relabel to work properly whether or not these commands work.
>>> Theoretically restorecon should work, but defaultcon will not.
>> 
>> Great thanks for the info. I'll probably address this with the attached
>> patch.
> 
> On further inspection, Red Hat's SELinux patch was different from the
> upstream patch in this regard. I.E. the Red Hat code did _not_ fail with
> `cp --context=...` or `install --context=...`. Now mkdir,mkfifo did fail
> for both code bases, but that's inconsistent, and cp/install would be the
> most used in this regard, so it makes sense to leave things as is and
> consistently _warn_ on selinux disabled systems. For completeness, -Z
> (which doesn't take a specific context) will not warn on selinux disabled
> systems.
> 
> thanks, Pádraig.
> 
Ok that is fine with me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKgi68ACgkQrlYvE4MpobNqQACgtyDaseQgAvgkhYVtQtmU+CzJ
ZhkAnjqIaM736k/w4zwSUYwbWs3krF8a
=b8fY
-----END PGP SIGNATURE-----



reply via email to

[Prev in Thread] Current Thread [Next in Thread]