* [refpolicy] Two issues with restorecon
@ 2011-02-04 13:14 David Härdeman
2011-02-04 13:55 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: David Härdeman @ 2011-02-04 13:14 UTC (permalink / raw)
To: refpolicy
Two related issues I just discovered with restorecon (sorry, I'm not close
to my private laptop so I can't provide patches):
1) When running "restorecon -r /", restorecon (setfiles) wants to write an
audit message that the whole fs is being relabeled (only happens when doing
it on /), but the refpolicy doesn't seem to give setfiles_t access to write
audit messages which I guess it should.
2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
the same audit message as above - which would be misleading since it's not
actually changing any labels.
--
David H?rdeman
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Two issues with restorecon
2011-02-04 13:14 [refpolicy] Two issues with restorecon David Härdeman
@ 2011-02-04 13:55 ` Daniel J Walsh
2011-03-28 22:14 ` David Härdeman
0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2011-02-04 13:55 UTC (permalink / raw)
To: refpolicy
On 02/04/2011 08:14 AM, David H?rdeman wrote:
> Two related issues I just discovered with restorecon (sorry, I'm not close
> to my private laptop so I can't provide patches):
>
> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
> audit message that the whole fs is being relabeled (only happens when doing
> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
> audit messages which I guess it should.
>
> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
> the same audit message as above - which would be misleading since it's not
> actually changing any labels.
>
Could you open two bugzillas
The first one would be a policy issue. The second would be a
polcycoreutils issue.
There is a rule in MLS/LSPP that says a full relabel requires an audit
message. Which is why setfiles/restorecon sends and audit message on
restorecon -R -v /
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Two issues with restorecon
2011-02-04 13:55 ` Daniel J Walsh
@ 2011-03-28 22:14 ` David Härdeman
2011-03-29 13:56 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: David Härdeman @ 2011-03-28 22:14 UTC (permalink / raw)
To: refpolicy
On Fri, Feb 04, 2011 at 08:55:04AM -0500, Daniel J Walsh wrote:
>On 02/04/2011 08:14 AM, David H?rdeman wrote:
>> Two related issues I just discovered with restorecon (sorry, I'm not close
>> to my private laptop so I can't provide patches):
>>
>> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
>> audit message that the whole fs is being relabeled (only happens when doing
>> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
>> audit messages which I guess it should.
>>
>> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
>> the same audit message as above - which would be misleading since it's not
>> actually changing any labels.
>>
>Could you open two bugzillas
I'm sorry, you got me confused...bugzilla entries in the redhat bugzilla
database? I'm not a redhat user... (and apologies for not replying
straight away)...
--
David H?rdeman
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] Two issues with restorecon
2011-03-28 22:14 ` David Härdeman
@ 2011-03-29 13:56 ` Daniel J Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2011-03-29 13:56 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/28/2011 06:14 PM, David H?rdeman wrote:
> On Fri, Feb 04, 2011 at 08:55:04AM -0500, Daniel J Walsh wrote:
>> On 02/04/2011 08:14 AM, David H?rdeman wrote:
>>> Two related issues I just discovered with restorecon (sorry, I'm not close
>>> to my private laptop so I can't provide patches):
>>>
>>> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
>>> audit message that the whole fs is being relabeled (only happens when doing
>>> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
>>> audit messages which I guess it should.
>>>
>>> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
>>> the same audit message as above - which would be misleading since it's not
>>> actually changing any labels.
>>>
>> Could you open two bugzillas
>
> I'm sorry, you got me confused...bugzilla entries in the redhat bugzilla
> database? I'm not a redhat user... (and apologies for not replying
> straight away)...
>
Yes I was thinking the Red Hat bugzilla, but now that you mention it, we
do allow the first in Red Hat/Fedora policy and the second is a bug in
policycoreutils/restorecon. (But not sure whether I would say it is a
high priority.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2R5SkACgkQrlYvE4MpobPOxwCgraDPXrKFxeGc+EDftq5kg5Jm
vFgAoLzNaNLJBUAJswIbWdL3itkqlOfL
=fTxr
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-03-29 13:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-04 13:14 [refpolicy] Two issues with restorecon David Härdeman
2011-02-04 13:55 ` Daniel J Walsh
2011-03-28 22:14 ` David Härdeman
2011-03-29 13:56 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.