On 09/30/2016 11:55 AM, Richard Haines wrote: > On Fri, 2016-09-30 at 11:07 -0400, Stephen Smalley wrote: >> Reverse the sense of the -D option, from disabling setting/use of >> security.restorecon_last to enabling it, making disabled the default >> state. >> >> Rationale: >> 1) Users often use restorecon to fix labels on files whose labels are >> wrong even through nothing has changed in file_contexts, e.g. after >> copying/moving files to a different location. They won't expect >> restorecon to suddenly stop relabeling by default because the hash of >> file_contexts hasn't changed. >> >> 2) Only processes running with CAP_SYS_ADMIN can set >> security.restorecon_last, so this will fail for non-root users >> anyway. > > Only a couple of minor points concerning both man pages that need > updates: > 1) In the SYNOPSIS I have [-I|-D]. These should now be [-I] [-D] > 2) As -I and -D would now be used together to force an update would it > be worth adding some text at the -I option, for example: > > ... "This option must be used with the -D option." See the NOTES.... I'll just make -I also enable -D automatically. > >> >> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >> --- >> policycoreutils/setfiles/restorecon.8 | 16 +++++++++------- >> policycoreutils/setfiles/setfiles.8 | 18 ++++++++++-------- >> policycoreutils/setfiles/setfiles.c | 9 +++++---- >> 3 files changed, 24 insertions(+), 19 deletions(-) >> >> diff --git a/policycoreutils/setfiles/restorecon.8 >> b/policycoreutils/setfiles/restorecon.8 >> index f996467..fdb468b 100644 >> --- a/policycoreutils/setfiles/restorecon.8 >> +++ b/policycoreutils/setfiles/restorecon.8 >> @@ -92,12 +92,10 @@ there are no errors. See the >> section for further details. >> .TP >> .B \-D >> -do not set or update any directory SHA1 digests. Use this option to >> -effectively disable usage of the >> +Set or update any directory SHA1 digests. Use this option to >> +enable usage of the >> .IR security.restorecon_last >> -extended attribute. Note that using this option will override the >> -.B \-I >> -option. >> +extended attribute. >> .TP >> .B \-m >> do not read >> @@ -174,15 +172,19 @@ To improve performance when relabeling file >> systems recursively (i.e. the >> or >> .B \-r >> option is set), >> +the >> +.B \-D >> +option to >> .B restorecon >> -will write an SHA1 digest of the default specfiles set to an >> extended >> +will cause it to store a SHA1 digest of the default specfiles set in >> an extended >> attribute named >> .IR security.restorecon_last >> -to the directory specified in each >> +on the directory specified in each >> .IR pathname \ ... >> once the relabeling has been completed successfully. This digest >> will be >> checked should >> .B restorecon >> +.B \-D >> be rerun with the same >> .I pathname >> parameters. See >> diff --git a/policycoreutils/setfiles/setfiles.8 >> b/policycoreutils/setfiles/setfiles.8 >> index 11bc335..6901e13 100644 >> --- a/policycoreutils/setfiles/setfiles.8 >> +++ b/policycoreutils/setfiles/setfiles.8 >> @@ -88,12 +88,10 @@ there are no errors. See the >> section for further details. >> .TP >> .B \-D >> -do not set or update any directory SHA1 digests. Use this option to >> -effectively disable usage of the >> +Set or update any directory SHA1 digests. Use this option to >> +enable usage of the >> .IR security.restorecon_last >> -extended attribute. Note that using this option will override the >> -.B \-I >> -option. >> +extended attribute. >> .TP >> .B \-l >> log changes in file labels to syslog. >> @@ -223,16 +221,20 @@ message label >> .BR FS_RELABEL . >> .IP "3." 4 >> To improve performance when relabeling file systems recursively >> +the >> +.B \-D >> +option to >> .B setfiles >> -will write an SHA1 digest of the >> +will cause it to store a SHA1 digest of the >> .B spec_file >> -set to an extended attribute named >> +set in an extended attribute named >> .IR security.restorecon_last >> -to the directory specified in each >> +on the directory specified in each >> .IR pathname \ ... >> once the relabeling has been completed successfully. This digest >> will be >> checked should >> .B setfiles >> +.B \-D >> be rerun >> with the same >> .I spec_file >> diff --git a/policycoreutils/setfiles/setfiles.c >> b/policycoreutils/setfiles/setfiles.c >> index 520866e..22eba0f 100644 >> --- a/policycoreutils/setfiles/setfiles.c >> +++ b/policycoreutils/setfiles/setfiles.c >> @@ -157,7 +157,7 @@ int main(int argc, char **argv) >> altpath = NULL; >> null_terminated = 0; >> warn_no_match = 0; >> - request_digest = 1; >> + request_digest = 0; >> policyfile = NULL; >> nerr = 0; >> >> @@ -281,11 +281,12 @@ int main(int argc, char **argv) >> SELINUX_RESTORECON_IGNORE >> _DIGEST; >> break; >> case 'D': /* >> - * Don't request file_contexts digest in >> selabel_open >> - * This will effectively disable usage of >> the >> + * Request file_contexts digest in >> selabel_open >> + * This will effectively enable usage of >> the >> * security.restorecon_last extended >> attribute. >> */ >> - request_digest = 0; >> + request_digest = 1; >> + break; >> case 'l': >> r_opts.syslog_changes = >> SELINUX_RESTORECON_SYSLOG >> _CHANGES; > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
