Re: id -Z subsumed by secon?

Re: id -Z subsumed by secon?

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

On Tue, 2006-08-08 at 19:16 +0200, Jim Meyering wrote:

> By the way, doesn't secon make id's -Z option unnecessary?

 Well id -a is useful as a single line of all the current permissions,
IMO. It's also a lot easier to find id -Z and runcon or secon, IMO.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

re: id -Z subsumed by secon?

[Daniel J Walsh]

>
>
> James Antill <james.antill@redhat.com> wrote:
>   
>> >  No, what Steven was saying is that the label for execcon will be reset
>> > on exec (after doing it's thing). To see this visually use "secon
>> > --self-exec" instead of id.
>> >
>> > % secon
>> > user: user_u
>>     
> ...
>
> Thanks for the example.
>
> By the way, doesn't secon make id's -Z option unnecessary?
> I'm planning not to include the 'id -Z' patches upstream,
> Instead, runcon (with neither CONTEXT nor COMMAND) will
> print the current security context -- to be analogous to how nice(1)
> works if you don't give it a command.
>
> Any objection?
>
>
>   
Yes I would like to maintain the idea of "-Z" being the way to view 
contexts.  This makes it easy for
a user to figure out how to see what context is being used.  ls -Z, ps 
-Z, netstat -Z ...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

re: id -Z subsumed by secon?

[Janak Desai]

On Tue, 2006-08-08 at 14:58 -0400, Daniel J Walsh wrote:
> >
> >
> > James Antill <james.antill@redhat.com> wrote:
> >   
> >> >  No, what Steven was saying is that the label for execcon will be reset
> >> > on exec (after doing it's thing). To see this visually use "secon
> >> > --self-exec" instead of id.
> >> >
> >> > % secon
> >> > user: user_u
> >>     
> > ...
> >
> > Thanks for the example.
> >
> > By the way, doesn't secon make id's -Z option unnecessary?
> > I'm planning not to include the 'id -Z' patches upstream,
> > Instead, runcon (with neither CONTEXT nor COMMAND) will
> > print the current security context -- to be analogous to how nice(1)
> > works if you don't give it a command.
> >
> > Any objection?
> >
> >
> >   
> Yes I would like to maintain the idea of "-Z" being the way to view 
> contexts.  This makes it easy for
> a user to figure out how to see what context is being used.  ls -Z, ps 
> -Z, netstat -Z ...
> 
> 

We are also using "id -Z" in our evaluation tests and would like to
keep the option.

-Janak

> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

re: id -Z subsumed by secon?

[Karl MacMillan]

On Tue, 2006-08-08 at 14:58 -0400, Daniel J Walsh wrote:

> >
> > Thanks for the example.
> >
> > By the way, doesn't secon make id's -Z option unnecessary?
> > I'm planning not to include the 'id -Z' patches upstream,
> > Instead, runcon (with neither CONTEXT nor COMMAND) will
> > print the current security context -- to be analogous to how nice(1)
> > works if you don't give it a command.
> >
> > Any objection?
> >
> >
> >   
> Yes I would like to maintain the idea of "-Z" being the way to view 
> contexts.  This makes it easy for
> a user to figure out how to see what context is being used.  ls -Z, ps 
> -Z, netstat -Z ...
> 
> 

Jim - I didn't see a response on this so I thought I would go ahead and
agree with Dan here. All of the "-Z" options have been documented for
_years_ - removing them now would be a real hardship on users.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

stat's -Z/--context option is gone [Re: id -Z subsumed by secon?

[Jim Meyering]

Janak Desai <janak@us.ibm.com> wrote:
> On Tue, 2006-08-08 at 14:58 -0400, Daniel J Walsh wrote:
>> > James Antill <james.antill@redhat.com> wrote:
...
>> > By the way, doesn't secon make id's -Z option unnecessary?
>> > I'm planning not to include the 'id -Z' patches upstream,
>> > Instead, runcon (with neither CONTEXT nor COMMAND) will
>> > print the current security context -- to be analogous to how nice(1)
>> > works if you don't give it a command.
>> >
>> > Any objection?
>> >
>> Yes I would like to maintain the idea of "-Z" being the way to view
>> contexts.  This makes it easy for
>> a user to figure out how to see what context is being used.  ls -Z, ps
>> -Z, netstat -Z ...
>
> We are also using "id -Z" in our evaluation tests and would like to
> keep the option.

Thanks for the feedback.
With all of those arguments, I don't have much of a choice, now do I? :)

Another FYI, stat's selinux-specific --context (-Z) will not
be included upstream.
It isn't really needed, after all.  Support for --context and -Z
will probably remain in Red Hat's version, as a warned-about no-op for a while.
Instead, there is just one long format string and one short.
Each will include the selinux security context, if available.
And the new %C 'just works' -- at least on a system with selinux.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: id -Z subsumed by secon?

[Jim Meyering]

Karl MacMillan <kmacmillan@mentalrootkit.com> wrote:
> Jim - I didn't see a response on this so I thought I would go ahead and
> agree with Dan here. All of the "-Z" options have been documented for
> _years_ - removing them now would be a real hardship on users.

No need to worry :)
After the first reply I was convinced.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.