Pádraig Brady wrote: > On 10/08/2012 09:24 PM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> One of if not the most common problem people hit with SELinux is the mv >> command, which maintains the file context of the source destination. >> >> mv /home/dwalsh/index.html /var/www/html/ >> >> This blows up on everybody and then the users have no idea why. >> >> I was thinking about adding -Z (--restorecon) to mv and having it basically >> do a >> internal restorecon on the destination. >> >> Then we could suggest people who get burnt by this to: >> >> alias mv="mv -Z" >> >> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the >> regex, so there should be very little slow down in doing this. >> >> I will work on the patch, if people agree with the idea. > > I like the idea. > Now cp and install should behave similarly, > and they already have the -Z option.
Upstream cp does not have -Z. I agree that this seems like the right time to add it. > So I would suggest that cp, mv and install > support the -Z option without an argument, > which means auto set the context based on the destination. > > The caveat with that is that short options > with optional args are very problematic. > So I'd just have the long --context have > an optional arg, while -Z would require an arg. [in a follow-up] > Thinking further, --context without an option, > is not too clear to the user. They might think > they were copying the original context rather > than setting a new context. > Pity the long option wasn't called --new-context. > I suppose we could have that as an alias for --context > and deprecate the former? Sounds reasonable. Adjust the other --context=CTX commands, mkdir, mkfifo, mknod at the same time.
