-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/04/2013 07:44 PM, Pádraig Brady wrote: > On 12/04/2013 07:23 PM, Pádraig Brady wrote: >> On 12/04/2013 05:49 PM, Daniel J Walsh wrote: >>> On 12/04/2013 11:11 AM, Pádraig Brady wrote: >>>> Before I pull the trigger on this release, I'd like to confirm a >>>> change you did. >>> >>>> You changed `cp --context=CTX` to _not fail_ if selinux is disabled. >>>> I'm thinking that if the old behavior of giving a specific context is >>>> not supported, then we should fail? >>> I have no problem if this fails, since the user was so explicit. My >>> real goal is to allow people to put commands in init scripts and >>> install post install scripts or any other scripts that do not need to >>> check if SELinux is enabled. >>> >>> cp -Z foobar /etc >>> >>> Should always work. >>> >>>> Also I'm wondering about the -Z case with selinux disabled. I.E. >>>> would defaultcon() and/or restorecon() support setting file contexts >>>> even if selinux is currently disabled? I.E. should we attempt those >>>> even if selinux is disabled, but suppress any associated >>>> warnings/errors? >>> >>>> thanks, Pádraig. >>> >>> When a machine comes back from being disabled it will require a full >>> relabel to work properly whether or not these commands work. >>> Theoretically restorecon should work, but defaultcon will not. >> >> Great thanks for the info. I'll probably address this with the attached >> patch. > > On further inspection, Red Hat's SELinux patch was different from the > upstream patch in this regard. I.E. the Red Hat code did _not_ fail with > `cp --context=...` or `install --context=...`. Now mkdir,mkfifo did fail > for both code bases, but that's inconsistent, and cp/install would be the > most used in this regard, so it makes sense to leave things as is and > consistently _warn_ on selinux disabled systems. For completeness, -Z > (which doesn't take a specific context) will not warn on selinux disabled > systems. > > thanks, Pádraig. > Ok that is fine with me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKgi68ACgkQrlYvE4MpobNqQACgtyDaseQgAvgkhYVtQtmU+CzJ ZhkAnjqIaM736k/w4zwSUYwbWs3krF8a =b8fY -----END PGP SIGNATURE-----
