Patch to restorecon to add -R switch

Patch to restorecon to add -R switch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 109 bytes --]

This will allow us to

restorecon -R /dev in the initscripts.

Also patch adds some fixed for fixfiles.

Dan

[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/plain, Size: 7940 bytes --]

--- policycoreutils-1.17.5/restorecon/restorecon.c.rhat	2004-08-30 11:46:46.000000000 -0400
+++ policycoreutils-1.17.5/restorecon/restorecon.c	2004-09-24 19:14:23.515031544 -0400
@@ -8,7 +8,7 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-nv] pathname...
+ * restorecon [-Rnv] pathname...
  * 
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
@@ -33,19 +33,25 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <stdio.h>
+#define __USE_XOPEN_EXTENDED 1	/* nftw */
+#include <ftw.h>
 
-char *progname;
+static int change=1;
+static int verbose=0;
+static FILE *outfile=NULL;
+static char *progname;
+static int errors=0;
+static int recurse;
 
 void usage(const char * const name)
 {	
   fprintf(stderr,
-	  "usage:  %s [-nv] [-f filename | pathname... ]\n",  name);
+	  "usage:  %s [-Rnv] [-f filename | pathname... ]\n",  name);
   exit(1);
 }
-int restore(char *filename, int change, int verbose, FILE *outfile) {
+int restore(char *filename) {
   int retcontext=0;
   int retval=0;
-  int errors=0;
   security_context_t scontext;
   security_context_t prev_context;
   int len=strlen(filename);
@@ -135,15 +141,36 @@
   freecon(scontext);
   return errors;
 }
+static int apply_spec(const char *file,
+		      const struct stat *sb_unused, int flag, struct FTW *s_unused)
+{
+	if (flag == FTW_DNR) {
+		fprintf(stderr, "%s:  unable to read directory %s\n",
+			progname, file);
+		return 0;
+	}
+	errors=errors+restore((char *)file);
+	return 0;
+}
+void process(char *buf) {
+      if (recurse) {
+	if (nftw
+	    (buf, apply_spec, 1024, FTW_PHYS | FTW_MOUNT)) {
+	  fprintf(stderr,
+		  "%s:  error while labeling files under %s\n",
+		  progname, buf);
+	  exit(1);
+	}
+      }
+      else
+	errors=errors+restore(buf);
+}
 int main(int argc, char **argv) {
   int i=0;
   char *file_name=NULL;
   int errors=0;
-  int change=1;
-  int verbose=0;
   int file=0;
   int opt;
-  FILE *outfile=NULL;
   char buf[PATH_MAX];
 
   progname=argv[0];
@@ -152,11 +179,14 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "nvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
       break;
+    case 'R':
+      recurse = 1;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {
@@ -187,14 +217,14 @@
     }
     while(fgets(buf,PATH_MAX,f)) {
       buf[strlen(buf)-1]=0;
-      errors=errors+restore(buf, change, verbose, outfile);
+      process(buf);
     }
     if (strcmp(file_name,"-")!=0) 
       fclose(f);
   } 
   else {
     for (i=optind; i< argc; i++) {
-      errors=errors+restore(argv[i], change, verbose, outfile);
+      process(argv[i]);
     }
   }
   if (outfile) 
--- policycoreutils-1.17.5/restorecon/restorecon.8.rhat	2004-08-30 11:46:46.000000000 -0400
+++ policycoreutils-1.17.5/restorecon/restorecon.8	2004-09-24 19:23:38.235701184 -0400
@@ -4,10 +4,10 @@
 
 .SH "SYNOPSIS"
 .B restorecon
-.I [\-o outfilename ] [\-n] [\-v] pathname...
+.I [\-o outfilename ] [\-R] [\-n] [\-v] pathname...
 .P
 .B restorecon
-.I \-f infilename [\-o outfilename ] [\-n] [\-v] 
+.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] 
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -26,6 +26,9 @@
 .B \-f infilename
 infilename contains a list of files to be processed by application. Use \- for stdin.
 .TP 
+.B \-R
+change files and directories file labels recursively
+.TP 
 .B \-n
 don't change any file labels.
 .TP 
--- policycoreutils-1.17.5/scripts/fixfiles.rhat	2004-08-30 11:46:47.000000000 -0400
+++ policycoreutils-1.17.5/scripts/fixfiles	2004-09-24 18:46:15.672622592 -0400
@@ -36,6 +36,8 @@
 FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
 FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
 SELINUXTYPE="targeted"
+FCFILE=`mktemp /var/tmp/file_contexts.XXXXXXXXXX`
+trap "rm -f $FCFILE; exit 2" 1 2 3 5 15 
 
 if [ -e /etc/selinux/config ]; then
     . /etc/selinux/config
@@ -48,14 +50,14 @@
 echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 | tee $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
         echo "Warning: Skipping the following R/O filesystems:"
         echo "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
+    ${SETFILES} ${OUTFILES} -n -v ${FCFILE} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
 fi
 }
 
@@ -63,14 +65,14 @@
 echo "logging to $LOGFILE"
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
         echo "Warning: Skipping the following R/O filesystems:"
         echo "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+    ${SETFILES} ${OUTFILES} -v ${FCFILE} ${FILESYSTEMS} 2>&1 > $LOGFILE
 fi
 }
 
@@ -80,29 +82,29 @@
 rm -rf /tmp/.??* /tmp/*
 if [ ! -z "$1" ]; then
     for i in `echo $1 | sed 's/,/ /g'`; do
-	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
+	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
     done
 else
     if [ ! -z "$FILESYSTEMSRO" ]; then
         echo "Warning: Skipping the following R/O filesystems:"
         echo "$FILESYSTEMSRO"
     fi
-    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
+    ${SETFILES} ${OUTFILES} -v ${FCFILE} ${FILESYSTEMS} 2>&1 > $LOGFILE
 fi
 }
 relabelCheck() {
-echo -n "
-Files in the /tmp directory may be labeled incorrectly, this command 
-can remove all files in /tmp.  If you choose to remove files from /tmp, 
-a reboot will be required after completion.
-
-Do you wish to clean out the /tmp directory [N]? "
-read answer
-if [ "$answer" = y -o  "$answer" = Y ]; then 
-    relabel $1
-else
-    restoreLabels $1
-fi
+    echo -n "
+    Files in the /tmp directory may be labeled incorrectly, this command 
+    can remove all files in /tmp.  If you choose to remove files from /tmp, 
+    a reboot will be required after completion.
+    
+    Do you wish to clean out the /tmp directory [N]? "
+    read answer
+    if [ "$answer" = y -o  "$answer" = Y ]; then 
+	relabel $1
+    else
+	restoreLabels $1
+    fi
 
 }
 
@@ -110,6 +112,12 @@
       	echo $"Usage: $0 {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] |check|restore|[-F] relabel}"
 }
 
+if [ $# = 0 ]; then
+	usage
+	rm -f $FCFILE
+	exit 1
+fi
+
 # See how we were called.
 for i in $@; do
 if [ $rpmFlag = 2 ]; then
@@ -127,6 +135,7 @@
     logfileFlag=1
     continue
 fi
+
 case "$i" in
 	check)
 		checkFlag=1
@@ -151,22 +160,38 @@
 		;;
 	*)
 	    usage
+           rm -f $FCFILE
 	    exit 1
 esac
 done
 if [ `expr $checkFlag + $restoreFlag + $relabelFlag` -gt 1 ]; then 
     usage
+    rm -f $FCFILE
     exit 1
 fi
+
+cp $FC $FCFILE
+#
+# Check for removable devices
+#
+for i in /proc/ide/hd*/media; do 
+	grep -q cdrom $i && echo $i | awk -F / '{ print "/dev/"$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $FCFILE || true
+done 
+
+if [ $logfileFlag = 0 ]; then
+    LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
+    if [ ! -w $LOGFILE ] ; then
+        rm -f $FCFILE
+	exit 1
+    fi
+fi
+
 if [ $checkFlag = 1 ]; then
     checkLabels $rpmFiles
 fi
 if [ $restoreFlag = 1 ]; then
     restoreLabels $rpmFiles
 fi
-if [ $logfileFlag = 0 ]; then
-    LOGFILE=`mktemp /var/tmp/fixfiles.XXXXXXXXXX`  || exit 1
-fi
 if [ $relabelFlag = 1 ]; then
     if [ $fullFlag = 1 ]; then
 	relabel $rpmFiles
@@ -174,6 +199,6 @@
 	relabelCheck $rpmFiles
     fi
 fi
-exit $?
-
 
+rm $FCFILE
+exit $?

Re: Patch to restorecon to add -R switch

[Luke Kenneth Casson Leighton]

On Mon, Sep 27, 2004 at 01:28:42PM -0400, Daniel J Walsh wrote:
> This will allow us to
> 
> restorecon -R /dev in the initscripts.
 
 oooo :) cooool.  a bit like setfiles.  only different.

 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[James Carter]

Everything looks fine, but why does all the output just go to the log
file now?  

On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
> This will allow us to
> 
> restorecon -R /dev in the initscripts.
> 
> Also patch adds some fixed for fixfiles.
> 
> Dan
> 
> ______________________________________________________________________

> --- policycoreutils-1.17.5/scripts/fixfiles.rhat	2004-08-30 11:46:47.000000000 -0400
> +++ policycoreutils-1.17.5/scripts/fixfiles	2004-09-24 18:46:15.672622592 -0400
> @@ -36,6 +36,8 @@
>  FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
>  FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
>  SELINUXTYPE="targeted"
> +FCFILE=`mktemp /var/tmp/file_contexts.XXXXXXXXXX`
> +trap "rm -f $FCFILE; exit 2" 1 2 3 5 15 
>  
>  if [ -e /etc/selinux/config ]; then
>      . /etc/selinux/config
> @@ -48,14 +50,14 @@
>  echo "logging to $LOGFILE"
>  if [ ! -z "$1" ]; then
>      for i in `echo $1 | sed 's/,/ /g'`; do
> -	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 | tee $LOGFILE
> +	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
>      done
>  else
>      if [ ! -z "$FILESYSTEMSRO" ]; then
>          echo "Warning: Skipping the following R/O filesystems:"
>          echo "$FILESYSTEMSRO"
>      fi
> -    ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 | tee $LOGFILE
> +    ${SETFILES} ${OUTFILES} -n -v ${FCFILE} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
>  fi
>  }
>  
> @@ -63,14 +65,14 @@
>  echo "logging to $LOGFILE"
>  if [ ! -z "$1" ]; then
>      for i in `echo $1 | sed 's/,/ /g'`; do
> -	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
> +	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
>      done
>  else
>      if [ ! -z "$FILESYSTEMSRO" ]; then
>          echo "Warning: Skipping the following R/O filesystems:"
>          echo "$FILESYSTEMSRO"
>      fi
> -    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
> +    ${SETFILES} ${OUTFILES} -v ${FCFILE} ${FILESYSTEMS} 2>&1 > $LOGFILE
>  fi
>  }
>  
> @@ -80,29 +82,29 @@
>  rm -rf /tmp/.??* /tmp/*
>  if [ ! -z "$1" ]; then
>      for i in `echo $1 | sed 's/,/ /g'`; do
> -	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 | tee $LOGFILE
> +	rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
>      done
>  else
>      if [ ! -z "$FILESYSTEMSRO" ]; then
>          echo "Warning: Skipping the following R/O filesystems:"
>          echo "$FILESYSTEMSRO"
>      fi
> -    ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 | tee $LOGFILE
> +    ${SETFILES} ${OUTFILES} -v ${FCFILE} ${FILESYSTEMS} 2>&1 > $LOGFILE
>  fi
>  }
>  relabelCheck() {
> -echo -n "
> -Files in the /tmp directory may be labeled incorrectly, this command 
> -can remove all files in /tmp.  If you choose to remove files from /tmp, 
> -a reboot will be required after completion.
> -
> -Do you wish to clean out the /tmp directory [N]? "
> -read answer
> -if [ "$answer" = y -o  "$answer" = Y ]; then 
> -    relabel $1
> -else
> -    restoreLabels $1
> -fi
> +    echo -n "
> +    Files in the /tmp directory may be labeled incorrectly, this command 
> +    can remove all files in /tmp.  If you choose to remove files from /tmp, 
> +    a reboot will be required after completion.
> +    
> +    Do you wish to clean out the /tmp directory [N]? "
> +    read answer
> +    if [ "$answer" = y -o  "$answer" = Y ]; then 
> +	relabel $1
> +    else
> +	restoreLabels $1
> +    fi
>  
>  }
>  

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

On Wed, 29 Sep 2004 15:08:40 EDT, James Carter said:
> Everything looks fine, but why does all the output just go to the log
> file now?  

> > -	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 | tee $LOGFILE
> > +	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE

That (and a few other places '| tee' was removed) is the technical reason
why it goes to the logfile only.  Dan would have to address the logic behind why
the change was made.

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Patch to restorecon to add -R switch

[Daniel J Walsh]

Valdis.Kletnieks@vt.edu wrote:

>On Wed, 29 Sep 2004 15:08:40 EDT, James Carter said:
>  
>
>>Everything looks fine, but why does all the output just go to the log
>>file now?  
>>    
>>
>
>  
>
>>>-	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 | tee $LOGFILE
>>>+	rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
>>>      
>>>
>
>That (and a few other places '| tee' was removed) is the technical reason
>why it goes to the logfile only.  Dan would have to address the logic behind why
>the change was made.
>  
>
It was changed because the the messages were flooding the roots mailer 
and if you ran fixfiles by hand, it would slow down the process
if you were on a slow terminal.  You can still see the output by doing a 
fixfiles -l `tty`

I think this all needs a redesign,  maybe to write its output to syslog, 
but am trying to get test3 out the door now.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 374 bytes --]

On Fri, 01 Oct 2004 15:00:17 EDT, Daniel J Walsh said:

> It was changed because the the messages were flooding the roots mailer 
> and if you ran fixfiles by hand, it would slow down the process
> if you were on a slow terminal.  You can still see the output by doing a 
> fixfiles -l `tty`

Hmm.. what does `tty` do inside a cron job?  That might matter to some people...

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Patch to restorecon to add -R switch

[Stephen Smalley]

On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
> This will allow us to
> 
> restorecon -R /dev in the initscripts.
> 
> Also patch adds some fixed for fixfiles.

So, how does this differ from just running setfiles on /dev instead?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
>  
>
>>This will allow us to
>>
>>restorecon -R /dev in the initscripts.
>>
>>Also patch adds some fixed for fixfiles.
>>    
>>
>
>So, how does this differ from just running setfiles on /dev instead?
>
>  
>
Setfiles allows for the specification of random file_context files so we 
do not allow init to run setfiles.
restorecon only reads the system file_context file.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Stephen Smalley]

On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
> Also patch adds some fixed for fixfiles.

> --- policycoreutils-1.17.5/scripts/fixfiles.rhat	2004-08-30 11:46:47.000000000 -0400
> +++ policycoreutils-1.17.5/scripts/fixfiles	2004-09-24 18:46:15.672622592 -0400
> @@ -36,6 +36,8 @@
>  FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
>  FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
>  SELINUXTYPE="targeted"
> +FCFILE=`mktemp /var/tmp/file_contexts.XXXXXXXXXX`
> +trap "rm -f $FCFILE; exit 2" 1 2 3 5 15 

I thought we had agreed that generating a temporary FCFILE was
undesirable and unnecessary, given that:
a) it requires allow setfiles to take temporary files as input (not
allowed by strict policy),
b) /dev nodes are no longer touched by setfiles anyway due to use of
tmpfs and udev.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
>  
>
>>Also patch adds some fixed for fixfiles.
>>    
>>
>
>  
>
>>--- policycoreutils-1.17.5/scripts/fixfiles.rhat	2004-08-30 11:46:47.000000000 -0400
>>+++ policycoreutils-1.17.5/scripts/fixfiles	2004-09-24 18:46:15.672622592 -0400
>>@@ -36,6 +36,8 @@
>> FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
>> FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
>> SELINUXTYPE="targeted"
>>+FCFILE=`mktemp /var/tmp/file_contexts.XXXXXXXXXX`
>>+trap "rm -f $FCFILE; exit 2" 1 2 3 5 15 
>>    
>>
>
>I thought we had agreed that generating a temporary FCFILE was
>undesirable and unnecessary, given that:
>a) it requires allow setfiles to take temporary files as input (not
>allowed by strict policy),
>b) /dev nodes are no longer touched by setfiles anyway due to use of
>tmpfs and udev.
>
>  
>
Yes this should be pulled.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to restorecon to add -R switch

[Luke Kenneth Casson Leighton]

On Tue, Oct 05, 2004 at 02:06:08PM -0400, Stephen Smalley wrote:
> On Mon, 2004-09-27 at 13:28, Daniel J Walsh wrote:
> > Also patch adds some fixed for fixfiles.
> 
> > --- policycoreutils-1.17.5/scripts/fixfiles.rhat	2004-08-30 11:46:47.000000000 -0400
> > +++ policycoreutils-1.17.5/scripts/fixfiles	2004-09-24 18:46:15.672622592 -0400
> > @@ -36,6 +36,8 @@
> >  FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
> >  FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
> >  SELINUXTYPE="targeted"
> > +FCFILE=`mktemp /var/tmp/file_contexts.XXXXXXXXXX`
> > +trap "rm -f $FCFILE; exit 2" 1 2 3 5 15 
> 
> I thought we had agreed that generating a temporary FCFILE was
> undesirable and unnecessary, given that:
> a) it requires allow setfiles to take temporary files as input (not
> allowed by strict policy),
> b) /dev nodes are no longer touched by setfiles anyway due to use of
> tmpfs and udev.
 
  could somebody _please_ explain to me why /.dev should
  also not be touched (listed explicitly in files/types.fc),
  _particularly_ when the xattrs could get damaged, such that
  a system [which _doesn't_ do tmpfs+udev in initrd but _does_
  do tmpfs+udev later] could be put into a non-bootable state?

  l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.