Reverse the sense of the -D option, from disabling setting/use of security.restorecon_last to enabling it, making disabled the default state. Rationale: 1) Users often use restorecon to fix labels on files whose labels are wrong even through nothing has changed in file_contexts, e.g. after copying/moving files to a different location. They won't expect restorecon to suddenly stop relabeling by default because the hash of file_contexts hasn't changed. 2) Only processes running with CAP_SYS_ADMIN can set security.restorecon_last, so this will fail for non-root users anyway. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- policycoreutils/setfiles/restorecon.8 | 16 +++++++++------- policycoreutils/setfiles/setfiles.8 | 18 ++++++++++-------- policycoreutils/setfiles/setfiles.c | 9 +++++---- 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index f996467..fdb468b 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -92,12 +92,10 @@ there are no errors. See the section for further details. .TP .B \-D -do not set or update any directory SHA1 digests. Use this option to -effectively disable usage of the +Set or update any directory SHA1 digests. Use this option to +enable usage of the .IR security.restorecon_last -extended attribute. Note that using this option will override the -.B \-I -option. +extended attribute. .TP .B \-m do not read @@ -174,15 +172,19 @@ To improve performance when relabeling file systems recursively (i.e. the or .B \-r option is set), +the +.B \-D +option to .B restorecon -will write an SHA1 digest of the default specfiles set to an extended +will cause it to store a SHA1 digest of the default specfiles set in an extended attribute named .IR security.restorecon_last -to the directory specified in each +on the directory specified in each .IR pathname \ ... once the relabeling has been completed successfully. This digest will be checked should .B restorecon +.B \-D be rerun with the same .I pathname parameters. See diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 index 11bc335..6901e13 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -88,12 +88,10 @@ there are no errors. See the section for further details. .TP .B \-D -do not set or update any directory SHA1 digests. Use this option to -effectively disable usage of the +Set or update any directory SHA1 digests. Use this option to +enable usage of the .IR security.restorecon_last -extended attribute. Note that using this option will override the -.B \-I -option. +extended attribute. .TP .B \-l log changes in file labels to syslog. @@ -223,16 +221,20 @@ message label .BR FS_RELABEL . .IP "3." 4 To improve performance when relabeling file systems recursively +the +.B \-D +option to .B setfiles -will write an SHA1 digest of the +will cause it to store a SHA1 digest of the .B spec_file -set to an extended attribute named +set in an extended attribute named .IR security.restorecon_last -to the directory specified in each +on the directory specified in each .IR pathname \ ... once the relabeling has been completed successfully. This digest will be checked should .B setfiles +.B \-D be rerun with the same .I spec_file diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 520866e..22eba0f 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -157,7 +157,7 @@ int main(int argc, char **argv) altpath = NULL; null_terminated = 0; warn_no_match = 0; - request_digest = 1; + request_digest = 0; policyfile = NULL; nerr = 0; @@ -281,11 +281,12 @@ int main(int argc, char **argv) SELINUX_RESTORECON_IGNORE_DIGEST; break; case 'D': /* - * Don't request file_contexts digest in selabel_open - * This will effectively disable usage of the + * Request file_contexts digest in selabel_open + * This will effectively enable usage of the * security.restorecon_last extended attribute. */ - request_digest = 0; + request_digest = 1; + break; case 'l': r_opts.syslog_changes = SELINUX_RESTORECON_SYSLOG_CHANGES; -- 2.7.4 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
