On Friday, 26 August 2016, 17:55, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: On 08/24/2016 08:52 AM, Richard Haines wrote: > Allow the "security.restorecon_last" extended attribute to be ignored. > Setting this flag/option will not check or update any directory SHA1 digests. > Use this option to effectively disable usage of the security.restorecon_last > extended attribute. Note that setting this flag will override the > SELINUX_RESTORECON_IGNORE_DIGEST flag. Seems confusing/overlapping with SELINUX_RESTORECON_IGNORE_DIGEST. IGNORE_DIGEST presently disables using the result of the getxattr, but it might as well just skip calling getxattr altogether. So then the only real difference is whether we set the digest afterward. So maybe a SELINUX_RESTORECON_DONTSET_DIGEST option would make sense. But what's the use case? I'll abandon this patch set as the correct way to disable the "security.restorecon_last" extended attribute is to call selabel_open() with SELABEL_OPT_DIGEST set to NULL. I'll therefore submit another patch for setfile/restorecon with this option. Disabling the use of "security.restorecon_last" would be useful for those who do not want this feature. > > Richard Haines (2): > libselinux: Ignore restorecon_last in selinux_restorecon(3) > policycoreutils: setfiles - Add option to ignore restorecon_last > > libselinux/include/selinux/restorecon.h | 4 ++++ > libselinux/man/man3/selinux_restorecon.3 | 20 +++++++++++++++++--- > libselinux/src/selinux_restorecon.c | 9 ++++++++- > libselinux/utils/selinux_restorecon.c | 9 +++++++-- > policycoreutils/setfiles/restore.c | 5 +++-- > policycoreutils/setfiles/restore.h | 2 ++ > policycoreutils/setfiles/restorecon.8 | 14 ++++++++++++-- > policycoreutils/setfiles/setfiles.8 | 12 +++++++++++- > policycoreutils/setfiles/setfiles.c | 19 ++++++++++++------- > 9 files changed, 76 insertions(+), 18 deletions(-) > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
