Suggested change to setfiles interface.

All of lore.kernel.org
 help / color / mirror / Atom feed

* Suggested change to setfiles interface.
@ 2004-02-25 15:22 Daniel J Walsh
  2004-02-25 16:21 ` Stephen Smalley
  2004-02-25 17:04 ` Stephen Smalley
  0 siblings, 2 replies; 3+ messages in thread
From: Daniel J Walsh @ 2004-02-25 15:22 UTC (permalink / raw)
  To: SE Linux

I find it curios that the setfiles interface works in recursive mode by 
default.  As we have been trying to get the install to handle labeling 
the file system, several files had to be labeled in the installer 
including /.  The only way to do this was to pipe
echo / | setfiles -s file_context

Looking into this I found this curious that this works differently then
setfiles file_context  /

I would like to see these work consistantly and us add a recursive on 
non recursive switch to setfiles. 

So

setfiles -R file_contexts /
would implement the current behavior

setfiles file_contexts /
would just relabel /.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Suggested change to setfiles interface.
  2004-02-25 15:22 Suggested change to setfiles interface Daniel J Walsh
@ 2004-02-25 16:21 ` Stephen Smalley
  2004-02-25 17:04 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2004-02-25 16:21 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Wed, 2004-02-25 at 10:22, Daniel J Walsh wrote:
> I find it curios that the setfiles interface works in recursive mode by 
> default.  As we have been trying to get the install to handle labeling 
> the file system, several files had to be labeled in the installer 
> including /.  The only way to do this was to pipe
> echo / | setfiles -s file_context
> 
> Looking into this I found this curious that this works differently then
> setfiles file_context  /
> 
> I would like to see these work consistantly and us add a recursive on 
> non recursive switch to setfiles. 
> 
> So
> 
> setfiles -R file_contexts /
> would implement the current behavior
> 
> setfiles file_contexts /
> would just relabel /.

Just to clarify, setfiles was designed to label entire filesystems, so
it takes a list of filesystem mount points and walks each one in turn. 
It does not cross mount points, so a 'setfiles file_contexts /' will not
descend into /boot or /var or /home (if those are separate mounts). 
Operating on an entire filesystem allows setfiles to also check for
conflicts such as cases where multiple hard links exist for an inode
that would map to different contexts.  Originally, setfiles created or
updated a persistent label mapping in each specified filesystem; now it
merely sets extended attributes on the individual files in that
filesystem.  It isn't a recursive vs. non-recursive issue so much as a
filesystem vs. file argument issue.

The -s option was added by Russell to allow setfiles to be applied to a
specified list of files (rather than filesystems) taken from stdin,
although we could likely have it take them from the command line just as
easily instead.

I don't think we want to change the default behavior of setfiles, but we
could certainly change the -s option to accept either a list of files as
command line arguments or (if none are specified) read from stdin. 
Would that address your concern?
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Suggested change to setfiles interface.
  2004-02-25 15:22 Suggested change to setfiles interface Daniel J Walsh
  2004-02-25 16:21 ` Stephen Smalley
@ 2004-02-25 17:04 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2004-02-25 17:04 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Wed, 2004-02-25 at 10:22, Daniel J Walsh wrote:
> I find it curios that the setfiles interface works in recursive mode by 
> default.  As we have been trying to get the install to handle labeling 
> the file system, several files had to be labeled in the installer 
> including /.  The only way to do this was to pipe
> echo / | setfiles -s file_context

Further thought:  Given that we recently added a matchpathcon() function
to libselinux, you could easily turn restorecon into a C program that
uses matchpathcon() and lsetfilecon() on its arguments, rather than
using setfiles at all.  Would that address your need?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-02-25 17:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-25 15:22 Suggested change to setfiles interface Daniel J Walsh
2004-02-25 16:21 ` Stephen Smalley
2004-02-25 17:04 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.