On Mon, Jul 6, 2020 at 3:16 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Thank you for reviewing: > > On 7/6/20 8:25 PM, Stephen Smalley wrote: > > On Tue, Jun 30, 2020 at 11:01 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > >> > >> By bind mounting every filesystem we want to relabel we can access all > >> files without anything hidden due to active mounts. > >> > >> This comes at the cost of user experience, because setfiles only > >> displays the percentage if no path is given or the path is / > > > > Perhaps this should be opt-in via a new command-line option rather > > than the default, given the user-visible difference in behavior and > > the potential for something to go wrong for existing users. We might > > also want to look at improving setfiles / selinux_restorecon() to > > support percentage progress without this limitation. > > I would argue that the new behavior is in theory "better" and allows removing a few questionable mounton allow rules from policies. If a user has files in a directory that was mounted over it could lead to surprises, so keeping a backwards compatible behavior is probably preferable. I will implement a new command-line option for it > > Fixing selinux_restorecon() to display the correct percentage is just a matter of improving it to check if the relabel targets the root of a mounted filesystem instead of the currently hard coded "/" (I think). > > >> > >> Signed-off-by: bauen1 <j2468h@xxxxxxxxx> > > > > Generally I think a real name is required for Signed-off-by lines in > > the DCO since otherwise it isn't truly meaningful from a legal > > perspective. > > I've now also read the guide on submitting patches to the linux kernel. What would be the best way to go about adding my real name and email address while also keeping my pseudonym and email in the commit, e.g. would just replacing the Signed-off-by with my real name and email address work ? I think the important part is that you use your real (legal) name in the Signed-off-by line. You can use whatever email address you like in the Signed-off-by line (as long as you can in fact receive email sent there), and that need not match the email address in the From header. Of course, IANAL and others may disagree.