-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/09/2012 08:54 AM, Jim Meyering wrote: > Pádraig Brady wrote: > >> On 10/08/2012 09:24 PM, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> One of if not the most common problem people hit with SELinux is the >>> mv command, which maintains the file context of the source >>> destination. >>> >>> mv /home/dwalsh/index.html /var/www/html/ >>> >>> This blows up on everybody and then the users have no idea why. >>> >>> I was thinking about adding -Z (--restorecon) to mv and having it >>> basically do a internal restorecon on the destination. >>> >>> Then we could suggest people who get burnt by this to: >>> >>> alias mv="mv -Z" >>> >>> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling >>> the regex, so there should be very little slow down in doing this. >>> >>> I will work on the patch, if people agree with the idea. >> >> I like the idea. Now cp and install should behave similarly, and they >> already have the -Z option. > > Upstream cp does not have -Z. I agree that this seems like the right time > to add it. > >> So I would suggest that cp, mv and install support the -Z option without >> an argument, which means auto set the context based on the destination. >> >> The caveat with that is that short options with optional args are very >> problematic. So I'd just have the long --context have an optional arg, >> while -Z would require an arg. > > [in a follow-up] >> Thinking further, --context without an option, is not too clear to the >> user. They might think they were copying the original context rather than >> setting a new context. > >> Pity the long option wasn't called --new-context. I suppose we could have >> that as an alias for --context and deprecate the former? > > Sounds reasonable. Adjust the other --context=CTX commands, mkdir, mkfifo, > mknod at the same time. >
The sad thing is I would bet that no one ever uses any of these options. Since they all involve people understanding what the default labeling should be. Allowing users to just say when I create a new file, make sure the tool does the right thing as far as labeling, would be a huge advance. I really do not care what option you guys choose to use. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB0Ky0ACgkQrlYvE4MpobN/2QCgld4aXuw/jme30u8x5GXQSuTw avYAn2FXPsN6yXEgWmeFc30W7KUQQPeg =GKaL -----END PGP SIGNATURE-----
