* restorecon -R default
@ 2012-01-28 13:01 Russell Coker
2012-01-30 16:11 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2012-01-28 13:01 UTC (permalink / raw)
To: SE-Linux
http://www.youtube.com/watch?v=ZThVfm3JXdM
A few years ago Paul Wayper gave an excellent introductory lecture about SE
Linux (see the above URL). He notes that he habitually uses -R for restorecon
every time.
It seems to me that the case where -R is not desired will be extremely rare.
It seems most uncommon that someone will have a directory with the wrong
label, a subdirectory tree that is either too big to scan quickly (and which
is known to have the correct labels) or which has labels which by design don't
match the file contexts.
Therefore I think we should make the common case be the default and require
that anyone who doesn't want that functionality specifically request it.
chcon uses the -h flag for changing the context of a sym-link instead of the
target, that might be a reasonable option to use for consistency.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: restorecon -R default
2012-01-28 13:01 restorecon -R default Russell Coker
@ 2012-01-30 16:11 ` Stephen Smalley
2012-01-30 18:32 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2012-01-30 16:11 UTC (permalink / raw)
To: russell; +Cc: SE-Linux
On Sun, 2012-01-29 at 00:01 +1100, Russell Coker wrote:
> http://www.youtube.com/watch?v=ZThVfm3JXdM
>
> A few years ago Paul Wayper gave an excellent introductory lecture about SE
> Linux (see the above URL). He notes that he habitually uses -R for restorecon
> every time.
>
> It seems to me that the case where -R is not desired will be extremely rare.
> It seems most uncommon that someone will have a directory with the wrong
> label, a subdirectory tree that is either too big to scan quickly (and which
> is known to have the correct labels) or which has labels which by design don't
> match the file contexts.
>
> Therefore I think we should make the common case be the default and require
> that anyone who doesn't want that functionality specifically request it.
> chcon uses the -h flag for changing the context of a sym-link instead of the
> target, that might be a reasonable option to use for consistency.
Seems like it might prove surprising to users, both given the prior
default behavior of restorecon and the default behaviors of similar Unix
commands like chown/chmod. I don't think we can/should change it.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: restorecon -R default
2012-01-30 16:11 ` Stephen Smalley
@ 2012-01-30 18:32 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2012-01-30 18:32 UTC (permalink / raw)
To: Stephen Smalley; +Cc: russell, SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/30/2012 11:11 AM, Stephen Smalley wrote:
> On Sun, 2012-01-29 at 00:01 +1100, Russell Coker wrote:
>> http://www.youtube.com/watch?v=ZThVfm3JXdM
>>
>> A few years ago Paul Wayper gave an excellent introductory
>> lecture about SE Linux (see the above URL). He notes that he
>> habitually uses -R for restorecon every time.
>>
>> It seems to me that the case where -R is not desired will be
>> extremely rare. It seems most uncommon that someone will have a
>> directory with the wrong label, a subdirectory tree that is
>> either too big to scan quickly (and which is known to have the
>> correct labels) or which has labels which by design don't match
>> the file contexts.
>>
>> Therefore I think we should make the common case be the default
>> and require that anyone who doesn't want that functionality
>> specifically request it. chcon uses the -h flag for changing the
>> context of a sym-link instead of the target, that might be a
>> reasonable option to use for consistency.
>
> Seems like it might prove surprising to users, both given the
> prior default behavior of restorecon and the default behaviors of
> similar Unix commands like chown/chmod. I don't think we
> can/should change it.
>
I agree, we should not change it. If a user wants to change the
default he can easily add
alias restorecon='restorecon -R'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8m4jwACgkQrlYvE4MpobNnBACeK+GjXZMR8uiHfenHSfoq5rRZ
ONAAoKdkgR7Px7mvPwmiOrmK0W4R98DB
=6p5K
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-01-30 18:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-28 13:01 restorecon -R default Russell Coker
2012-01-30 16:11 ` Stephen Smalley
2012-01-30 18:32 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.