On Tue, 2008-05-20 at 15:43 -0400, Daniel J Walsh wrote: > Jeremy Katz wrote: > > On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote: > >> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: > >>> Making use of the wonderful new deferred selinux context patch set from > >>> the kernel I get beautiful message like: > >>> > >>> /sbin/restorecon reset /sbin/dump context > >>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0 > >>> > >>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the > >>> host machine. Since restorecon/fixfiles runs over the same files like 3 > >>> times during a livecd creation this gets rather annoying. Do we have an > >>> interface I could use to make restorecon do the right comparison here? > >> Well, could we instead avoid running restorecon/fixfiles multiple times > >> on the same files? And ideally just get rpm to label the files > >> correctly in the first place since that is why we added the kernel > >> patch? > > > > FWIW, we do a final pass with restorecon/fixfiles at the end of creating > > the files just so that we can ensure that any files that were created as > > the result of a %post script or anything else which doesn't transition > > correctly (... perhaps because the policy doesn't know it needs to) ends > > up with the right final label. This is pretty confined to just the > > livecd-creator case, though. > > > > Jeremy > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Can we use fixfiles restore instead of restorecon. It will output a > little "*" for every 10,000 files it relabels and we don't need to see > thousands of useless restorecon lines. Isn't that just the same as calling restorecon with -p rather than -v? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
