On Mon, Sep 19, 2022 at 1:35 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > On Mon, 19 Sept 2022 at 13:29, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > Always run find with -xdev to avoid unintended deleting/relabeling. > > While this may sometimes skip subdirectories that should be relabeled, > > the danger of crossing into random mounts is greater than leaving behind > > some unlabeled files. The find commands are just best-effort attempts to > > fix the labels anyway. > > The xdev option does not work for bind mounts (they are still followed). Hm... it does not if the bind mounted dir is on the same filesystem (superblock), so in the case where /tmp is a plain directory on the root filesystem it will allow traversing to other directories directly on the root filesystem. I guess that's still better than nothing, though... An alternative (at least for the more dangerous -delete part) could be to change the prompt to suggest switching to do the equivalent of `fixfiles -F onboot` + reboot. The current prompt instructs the user to reboot the machine anyway, so it wouldn't really make things more complicated for the user. Maybe I'll draft a patch for this... -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
