Stephen Smalley wrote: > On Tue, 2008-05-20 at 15:43 -0400, Daniel J Walsh wrote: >> Jeremy Katz wrote: >>> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote: >>>> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: >>>>> Making use of the wonderful new deferred selinux context patch set from >>>>> the kernel I get beautiful message like: >>>>> >>>>> /sbin/restorecon reset /sbin/dump context >>>>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0 >>>>> >>>>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the >>>>> host machine. Since restorecon/fixfiles runs over the same files like 3 >>>>> times during a livecd creation this gets rather annoying. Do we have an >>>>> interface I could use to make restorecon do the right comparison here? >>>> Well, could we instead avoid running restorecon/fixfiles multiple times >>>> on the same files? And ideally just get rpm to label the files >>>> correctly in the first place since that is why we added the kernel >>>> patch? >>> FWIW, we do a final pass with restorecon/fixfiles at the end of creating >>> the files just so that we can ensure that any files that were created as >>> the result of a %post script or anything else which doesn't transition >>> correctly (... perhaps because the policy doesn't know it needs to) ends >>> up with the right final label. This is pretty confined to just the >>> livecd-creator case, though. >>> >>> Jeremy >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Can we use fixfiles restore instead of restorecon. It will output a >> little "*" for every 10,000 files it relabels and we don't need to see >> thousands of useless restorecon lines. > > Isn't that just the same as calling restorecon with -p rather than -v? > I believe fixfiles restore only labels file systems that support labels while restorecon -R -v / Will walk all file systems. so fixfiles might be a little faster. /usr/bin/find "$FILEPATH" \ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune -o -print0 | \ ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
