[Selinux-commits] SF.net SVN: selinux: [2880] trunk/policycoreutils/setfiles/setfiles.c

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 2880
          http://selinux.svn.sourceforge.net/selinux/?rev=2880&view=rev
Author:   ssmalley
Date:     2008-05-16 06:06:26 -0700 (Fri, 16 May 2008)

Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: livecd-creator + selinux
Date: Fri, 16 May 2008 07:57:38 -0400

On Thu, 2008-05-15 at 17:20 -0400, Eric Paris wrote:
> On Thu, 2008-05-15 at 16:47 -0400, Stephen Smalley wrote:
> > On Thu, 2008-05-15 at 16:33 -0400, Eric Paris wrote:
> > > #4 At the end of the rpm transaction when everything is installed it
> > > calls restorecon and I get one for (I assume) every file almost all of
> > > which look like:
> > > 
> > > /sbin/restorecon reset /srv context system_u:object_r:var_t:s0->system_u:object_r:var_t:s0
> > > 
> > > Notice nothing changed?  Again I assume its my hack of a /selinux which
> > > causes it and I'll try to run down why, but maybe someone else sees that
> > > quickly.
> > 
> > That suggests it is being called with the -f (force) flag from
> > e.g. /sbin/fixfiles.  selinux-policy.spec does a
> > 	fixfiles -C file_contexts.pre restore
> > 
> > fixfiles -C does a diff between the old and new file contexts
> > configurations and applies restorecon to the result. There is some
> > serious magic in there, and it is all Dan's fault ;)
> 
> ok, in the livecd-creator kickstart.py I see
> 
>         if os.path.exists(self.path("/sbin/restorecon")):
>             self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"])
> 
> So there is our -F.  Is there a way to get it to fix "user" without
> getting it to fix "things that aren't wrong"

I think we should change setfiles/restorecon to just not do that even
with -F.  IIRC, changing it to always invoke setfilecon even if the
contexts were the same was motivated by the problem we used to have
where the in-core label and the on-disk xattr could get out of sync.

Patch below.  Note that restorecon is just a link to setfiles that
presents a different default user interface and behaviors (ever since I
coalesced them).

Modified Paths:
--------------
    trunk/policycoreutils/setfiles/setfiles.c

Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================

--- trunk/policycoreutils/setfiles/setfiles.c	2008-05-05 15:23:37 UTC (rev 2879)
+++ trunk/policycoreutils/setfiles/setfiles.c	2008-05-16 13:06:26 UTC (rev 2880)
@@ -495,7 +495,7 @@
 	 * specification.
 	 */
 	if ((strcmp(newcon, "<<none>>") == 0) ||
-	    (context && (strcmp(context, newcon) == 0) && !force)) {
+	    (context && (strcmp(context, newcon) == 0))) {
 		freecon(context);
 		goto out;
 	}


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


