Is there difference betweek sefiles and restorecon in terms of labels

Is there difference betweek sefiles and restorecon in terms of labels

[Sam Gandhi]

Looking at man pages of sefiles and restorecon , both mention that
they initialize security context database ( extended attributes) on
one or more filesystems.

There are certainly differences between command line arguments, but
can these programs be used interchangeably as far as extended
attributes they assign to files?

-Sam

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is there difference betweek sefiles and restorecon in terms of labels

[Guido Trentalancia]

Hi Sam !

Restorecon is a symbolic link to setfiles.

Setfiles probably offers more options. Most notably, I think you can
choose the file contexts definitions (as far as I remember undocumented,
see belove).

I shall quote the code:

                /* 
                 * setfiles:  
                 * Recursive descent,
                 * Does not expand paths via realpath, 
                 * Aborts on errors during the file tree walk, 
                 * Try to track inode associations for conflict detection,
                 * Does not follow mounts,
                 * Validates all file contexts at init time. 
                 */

                /*
                 * restorecon:  
                 * No recursive descent unless -r/-R,
                 * Expands paths via realpath, 
                 * Do not abort on errors during the file tree walk,
                 * Do not try to track inode associations for conflict detection,
                 * Follows mounts,
                 * Does lazy validation of contexts upon use. 
                 */

Hope it helps. Please double-check for correctness.

Least but not last: there are a few undocumented options that I have
tried to document in a patch (see PATCH[1/2] and PATCH[2/2] that I
posted here on Sun, 20 Feb 2011 09:56:48 +0100).

Regards,

Guido

On Wed, 2011-04-27 at 15:59 -0700, Sam Gandhi wrote:
> Looking at man pages of sefiles and restorecon , both mention that
> they initialize security context database ( extended attributes) on
> one or more filesystems.
> 
> There are certainly differences between command line arguments, but
> can these programs be used interchangeably as far as extended
> attributes they assign to files?
> 
> -Sam
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is there difference betweek sefiles and restorecon in terms of labels

[Guido Trentalancia]

In short, the label ultimately depends on the file context
specification, not the tool you use. Therefore as long as the file
context specification is the same, then I suppose both setfiles and
restorecon produce the same label on the file.

Regards,

Guido

On Wed, 2011-04-27 at 15:59 -0700, Sam Gandhi wrote:
> Looking at man pages of sefiles and restorecon , both mention that
> they initialize security context database ( extended attributes) on
> one or more filesystems.
> 
> There are certainly differences between command line arguments, but
> can these programs be used interchangeably as far as extended
> attributes they assign to files?
> 
> -Sam
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is there difference betweek sefiles and restorecon in terms of labels

[Christopher J. PeBenito]

On 04/27/11 18:59, Sam Gandhi wrote:
> Looking at man pages of sefiles and restorecon , both mention that
> they initialize security context database ( extended attributes) on
> one or more filesystems.
> 
> There are certainly differences between command line arguments, but
> can these programs be used interchangeably as far as extended
> attributes they assign to files?

They both use the system's file context specification from the policy
and should set the same file context on any given path (if not, its a
bug).  The only difference between the two is their command line
arguments.  Setfiles, and correspondingly its command line arguments, is
primarily for initializing a filesystem's labels.  Restorecon is
oriented towards resetting the label on a file or a directory tree.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.