On 12/01/17 20:01, Stephen Smalley wrote:yay!On Wed, 2017-01-11 at 12:41 +0000, Alan Jenkins wrote:fixfiles links to restorecon. However if you start with restorecon "restore file(s) default SELinux security contexts", you can easily miss the fixfiles script. fixfiles is more generally useful than `restorecon -R`. For example `restorecon -R /` is not as good as `fixfiles restore`, because the restorecon command will try to relabel `/sys` and fail noisily.Thanks, applied both patches. Wondering though about the behavior you describe above; restorecon -R /sys only issues one error message for me and otherwise works fine, # restorecon -R /sys Could not set context for /sys/fs/cgroup: Read-only file system It turned out fixfiles also generated similar noise. I suspect this involved `-v` (in both cases), sorry. Fedora Workstation 25: "fixfiles spams warnings about debugfs. (docs say it only touches "real" filesystems!)" https://bugzilla.redhat.com/show_bug.cgi?id=1412747 Perhaps the root cause is actually the same. I still prefer the messages from fixfiles though. It explicitly detected conflicting labels on hardlinks https://bugzilla.redhat.com/show_bug.cgi?id=1411371 and informed me in advance when it decided to traverse and relabel five of my virtual filesystems Checking / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /run/user/1001 /run/user/42 /sys /sys/fs/pstore /sys/kernel/debug /tmp(I doubt devtmpfs files are _intended_ to be labeled like this either. OTOH the stupidity doesn't seem to affect it, so I won't complain there). |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
