On 12/04/2013 07:23 PM, Pádraig Brady wrote: > On 12/04/2013 05:49 PM, Daniel J Walsh wrote: >> On 12/04/2013 11:11 AM, Pádraig Brady wrote: >>> Before I pull the trigger on this release, I'd like to confirm a change you >>> did. >> >>> You changed `cp --context=CTX` to _not fail_ if selinux is disabled. I'm >>> thinking that if the old behavior of giving a specific context is not >>> supported, then we should fail? >> I have no problem if this fails, since the user was so explicit. My real >> goal >> is to allow people to put commands in init scripts and install post install >> scripts or any other scripts that do not need to check if SELinux is enabled. >> >> cp -Z foobar /etc >> >> Should always work. >> >>> Also I'm wondering about the -Z case with selinux disabled. I.E. would >>> defaultcon() and/or restorecon() support setting file contexts even if >>> selinux is currently disabled? I.E. should we attempt those even if selinux >>> is disabled, but suppress any associated warnings/errors? >> >>> thanks, Pádraig. >> >> When a machine comes back from being disabled it will require a full relabel >> to work properly whether or not these commands work. Theoretically restorecon >> should work, but defaultcon will not. > > Great thanks for the info. > I'll probably address this with the attached patch.
On further inspection, Red Hat's SELinux patch was different from the upstream patch in this regard. I.E. the Red Hat code did _not_ fail with `cp --context=...` or `install --context=...`. Now mkdir,mkfifo did fail for both code bases, but that's inconsistent, and cp/install would be the most used in this regard, so it makes sense to leave things as is and consistently _warn_ on selinux disabled systems. For completeness, -Z (which doesn't take a specific context) will not warn on selinux disabled systems. thanks, Pádraig.
