-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David P. Quigley wrote: > On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote: >> On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote: >>> Daniel J Walsh wrote: >>>> Jon Masters wrote: >>>>> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote: >>>>> >>>>>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt >>>>>>> >>>>>>> And then one might legitimately expect to be able to copy the content >>>>>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But >>>>>>> suppose that one is running SELinux in enforcing mode, then this will >>>>>>> fail because the contexts differ in this operation. Then, one will >>>>>>> likely quickly become severely annoyed and frustrated with SELinux, >>>>>>> simply setting it permissive for the duration of the operation... >>> I've seen this... >> Indeed. I have too, one too many times. >> >>> SELinux is preventing cp from creating a file with a context of >>> iso9660_t on a >>> filesystem. >> Ah yes, I probably used the standard "cp -ax blah /blah" command. I >> guess I'll need to learn not to use such standard commands in future and >> adapt everything around SELinux. Because that's very non-obtrusive, and >> won't cause regular users any anguish at all. >> >> Jon. >> >> > > I think the main question here is should archive try to retain the > SELinux context. From what I've heard from people here, initially the > idea was to try to preserve the context and if that failed fall back to > labeling based on the parent. That doesn't seem to be what cp is trying > to do. If we removed the retain the context part from the archive switch > of cp you would get labeling based on the parent but then you would be > required to explicitly specify preserve the context when you wanted to > archive that as well. > > It doesn't seem like anyone is actually depending on the associate > permission so it might be worth someone looking into removing it if no > one is really using it. It has its applications but I don't believe Red > Hat is using it at this time. > > Dave > That is fine with me but I would like to get the opinion of upstream coreutils. Jim what do you think? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsxvwACgkQrlYvE4MpobN3ugCeKH/NjySwoZBcLgGpek+ZDLDq Zj8An1Qg6H/gH+IjmDNEdy6emhzjpWkO =WQA3 -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
