On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote: > On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote: > > Daniel J Walsh wrote: > > > Jon Masters wrote: > > >> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote: > > >> > > >>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt > > >>>> > > >>>> And then one might legitimately expect to be able to copy the content > > >>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But > > >>>> suppose that one is running SELinux in enforcing mode, then this will > > >>>> fail because the contexts differ in this operation. Then, one will > > >>>> likely quickly become severely annoyed and frustrated with SELinux, > > >>>> simply setting it permissive for the duration of the operation... > > > > I've seen this... > > Indeed. I have too, one too many times. > > > SELinux is preventing cp from creating a file with a context of > > iso9660_t on a > > filesystem. > > Ah yes, I probably used the standard "cp -ax blah /blah" command. I > guess I'll need to learn not to use such standard commands in future and > adapt everything around SELinux. Because that's very non-obtrusive, and > won't cause regular users any anguish at all. > > Jon. > > I think the main question here is should archive try to retain the SELinux context. From what I've heard from people here, initially the idea was to try to preserve the context and if that failed fall back to labeling based on the parent. That doesn't seem to be what cp is trying to do. If we removed the retain the context part from the archive switch of cp you would get labeling based on the parent but then you would be required to explicitly specify preserve the context when you wanted to archive that as well. It doesn't seem like anyone is actually depending on the associate permission so it might be worth someone looking into removing it if no one is really using it. It has its applications but I don't believe Red Hat is using it at this time. Dave -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
