From: Daniel Burgener <dburgener@linux.microsoft.com>
To: William Roberts <bill.c.roberts@gmail.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] restorecon: Add option to count number of relabeled files
Date: Thu, 13 Nov 2025 12:35:59 -0500 [thread overview]
Message-ID: <394ce63e-2ea0-4b0f-9196-bb47c6721f85@linux.microsoft.com> (raw)
In-Reply-To: <CAFftDdp3ZChoaVF-5FN=O=b09Hv6VSXAUzRQ0muW0NParjZBhA@mail.gmail.com>
On 11/12/2025 7:43 PM, William Roberts wrote:
> On Tue, Nov 11, 2025 at 10:34 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
>>
>> <snip>
>>>>> I'm no longer an SELinux maintainer, so don't let my nack stop anyone.
>>>
>>> We have a need for a similar use case in terms of ensuring that
>>> restorecon actually performed relabeling, but I agree that I don't think
>>> this patch as is would meet our needs.
>>>
>>> One thing that might make the patch more usable and address these
>>> comments would be to instead pass the expected number of relabels as an
>>> argument to restorecon and then return success if the relabel count ==
>>> the expected count. That avoids all the problems around exit code
>>> handling while still verifying the count.
>>>
>>> The other problem though is that in the presence of globbing it's not
>>> clear that getting the expected number of files relabeled means that you
>>> actually relabeled the files you expected to. But I guess the answer to
>>> that is just "don't use the count feature with globbing". Even without
>>> globbing though, if you don't relabel all the files, you don't know
>>> which one you skipped without extra handling, which seems like you
>>> really don't need to know the number relabeled as much as whether it was
>>> the number you expected, which seems like a point in favor of "pass the
>>> expected count".
>>>
>>
>
> Sorry I accidentally sent this only to Daniel, adding back the list.
>
> With -v doesn't restorecon show what would be changed? Perhaps it
> would be better
> to add an option that produces some standard formatting for an audit
> trail and that output
> could include various statistics. Then folks could parse those
> records. I see -p does some form
> of progress/status meter as well, for whatever that is worth.
>
> <snip>
My two cents FWIW is that being able to see whether you actually
relabeled via exit status is way more useful than having to parse output
to get at that info. There's no need for the complexity of the wrapper,
no opportunities for parser bugs, and you can just directly succeed/fail
a systemd unit or bash script based on the return code.
-Daniel
next prev parent reply other threads:[~2025-11-13 17:36 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 18:05 [PATCH] restorecon: Add option to count number of relabeled files Vit Mojzis
2025-11-10 20:21 ` Stephen Smalley
2025-11-10 20:23 ` William Roberts
2025-11-10 20:37 ` William Roberts
2025-11-11 14:44 ` Daniel Burgener
[not found] ` <CAFftDdoTR5ae1qORSjPuOj5ea1O15qtgrRiadhTp2HMh926swg@mail.gmail.com>
2025-11-13 0:43 ` William Roberts
2025-11-13 17:11 ` [PATCH v2] restorecon: Add option to count " Vit Mojzis
2025-11-13 20:17 ` William Roberts
2025-11-18 8:59 ` Petr Lautrbach
2025-11-18 20:11 ` [PATCH v3] " Vit Mojzis
2026-01-23 15:13 ` James Carter
2026-01-28 20:28 ` James Carter
2025-11-13 17:35 ` Daniel Burgener [this message]
2025-11-13 19:29 ` [PATCH] restorecon: Add option to count number of " William Roberts
2025-11-13 19:32 ` Daniel Burgener
2025-11-13 19:39 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=394ce63e-2ea0-4b0f-9196-bb47c6721f85@linux.microsoft.com \
--to=dburgener@linux.microsoft.com \
--cc=bill.c.roberts@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.