Hello all,
I would like to discuss the possible removal of the static path list
in fixfiles' differential update mode (`fixfiles -C`).
Here is how it works :
160 # Compare PREVious File Context to currently installed File Context and
161 # run restorecon on all files affected by the differences.
162 #
163 diff_filecontext() {
164 EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
165 for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC
/home /tmp /dev; do
166 [ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
167 done
168 LogExcluded
169
170 if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
171 TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
172 test -z "$TEMPFILE" && exit
173 PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
174 sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE}
175 sed -r -e 's,:s0, ,g' $FC | sort -u | \
176 /usr/bin/diff -b ${PREFCTEMPFILE} - | \
177 grep '^[<>]'|cut -c3-| grep ^/ | \
178 egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
179 sed -r -e 's,[[:blank:]].*,,g' \
[...]
199 ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \
lines 165-167 and 178 statically prevent some paths to be updated with
the new policy. I suspect this was done for efficiency and historical
reasons.
I would propose the removal of these path because :
- restorecon is (by default) automatically ignoring paths that are not
mounted with `seclabel`. There shouldn't be a need to statically treat
paths differently
- Some paths currently in this list (e.g. `/home`) may require
updating. During a policy update, packages (at least RHEL and Fedora)
are using `fixfiles -C` to make the policy more efficient, resulting
in a possibly incomplete policy update.
- The admin may not be aware of the manual steps required to fully
apply the new policy after an update.
How about removing these lines ?
Best regards,
Cedric
