On Wed, 2008-05-21 at 10:06 -0400, Daniel J Walsh wrote: > Stephen Smalley wrote: > > On Tue, 2008-05-20 at 15:43 -0400, Daniel J Walsh wrote: > >> Jeremy Katz wrote: > >>> On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote: > >>>> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: > >>>>> Making use of the wonderful new deferred selinux context patch set from > >>>>> the kernel I get beautiful message like: > >>>>> > >>>>> /sbin/restorecon reset /sbin/dump context > >>>>> system_u:object_r:unlabeled_t:s0->system_u:object_r:eparis_exec_t:s0 > >>>>> > >>>>> The file wasn't really "unlabeled_t" it just wasn't a valid label on the > >>>>> host machine. Since restorecon/fixfiles runs over the same files like 3 > >>>>> times during a livecd creation this gets rather annoying. Do we have an > >>>>> interface I could use to make restorecon do the right comparison here? > >>>> Well, could we instead avoid running restorecon/fixfiles multiple times > >>>> on the same files? And ideally just get rpm to label the files > >>>> correctly in the first place since that is why we added the kernel > >>>> patch? > >>> FWIW, we do a final pass with restorecon/fixfiles at the end of creating > >>> the files just so that we can ensure that any files that were created as > >>> the result of a %post script or anything else which doesn't transition > >>> correctly (... perhaps because the policy doesn't know it needs to) ends > >>> up with the right final label. This is pretty confined to just the > >>> livecd-creator case, though. > >>> > >>> Jeremy > >>> > >>> -- > >>> fedora-selinux-list mailing list > >>> fedora-selinux-list@xxxxxxxxxx > >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> Can we use fixfiles restore instead of restorecon. It will output a > >> little "*" for every 10,000 files it relabels and we don't need to see > >> thousands of useless restorecon lines. > > > > Isn't that just the same as calling restorecon with -p rather than -v? > > > I believe fixfiles restore only labels file systems that support labels > while restorecon -R -v / Will walk all file systems. so fixfiles might > be a little faster. > > /usr/bin/find "$FILEPATH" \ > ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype > ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune -o > -print0 | \ > ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> > $LOGFILE I see. I'm not sure how much of a problem that is for the chroot environment, and restorecon does have the -e option for excluding parts of the tree, although it is non-optimal in implementation (ideally we could prune the tree walk itself, but I think that would require converting restorecon from using nftw to using fts, which has long been a todo item). However, if they were to use fixfiles restore, is there a way to enable verbose mode there? /sbin/fixfiles restore -v doesn't work. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
