On Sep 16, 2009, at 10:02 AM, Stephen Smalley wrote:
What is the best we can do? Should we always attempt to relabel if
selinux is disabled or not?
The patch is the best we can do - we shouldn't exclude any mounts
based
on the absence of seclabel in /proc/mounts if SELinux is disabled.
Historically setfiles has always supported relabeling filesystems even
if SELinux was disabled in the host.
There's a fundamental confusion between the act (of labelling) and the
use of selinux labels.
The issue shows up when there are multiple (and possibly incompatible)
sets of labels, such as in chroot's, or creating an image for a
different
installation.
One can choose to not install labels condition on whether
is_selinux_enabled()
consistently and methodically.
Perhaps a simpple example to illustrate:
Should cp(1) always copy security labels or only if is_selinux_enabled
()?
What I'm hearing is "No. cp(1) should copy labels iff
is_selinux_senabled() is TRUE."
73 de Jeff
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
