The following patch set is for adding the -E option to setfiles which would
treat conflicting specifications as errors, rather than choosing from one of the
specifications. Choosing one of the specs introduces non-determinism which is
problematic, such as where filesystem images are being built in Yocto. Without
this option, the build is not repeatable, since you can have the same source
tree and have different labeling outcomes in the output image.
This results in setfiles output like the following:
# ./setfiles -E file_contexts /tmp
./setfiles: conflicting specifications for /tmp/testfile and /tmp/hardlink,
using system_u:object_r:no_access_t:s0.
./setfiles: treating conflicting specifications as an error.
./setfiles: filespec_add error: /tmp/testfile
libselinux/include/selinux/restorecon.h | 37
+++++++++++++++++++++----------------
libselinux/man/man3/selinux_restorecon.3 | 4 ++++
libselinux/src/selinux_restorecon.c | 13 +++++++++++--
policycoreutils/setfiles/restore.c | 2 +-
policycoreutils/setfiles/restore.h | 1 +
policycoreutils/setfiles/setfiles.8 | 5 +++++
policycoreutils/setfiles/setfiles.c | 10 +++++++---
7 files changed, 50 insertions(+), 22 deletions(-)
--
Chris PeBenito
