-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/31/2012 08:54 PM, Pádraig Brady wrote: > On 10/30/2012 02:43 PM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> For some reason I could not get git to take more then a one line >> comment. This is the comment I was trying to add. >> >> >> build: Change -Z opt w/out arg label target with default label >> >> The -Z without argument will ask SELinux what the default label of the i >> dest object should be and then attempt to change it. >> >> The -Z with an optional context will create all targets with the optional >> label. This is still supported for backwards compatability. >> >> The mv command does not support the optional argument. >> >> >> BTW, it looks like coreutils has removed -ZCONTEXT from cp, if I had my >> druthers, I would make all commands just use -Z and not allow the >> optional arg. Then -Z would just set the default label. I would bet >> that no one in history has executed a command like: >> >> mkdir -Zunconfined_u:object_r:httpd_user_content_t:s0 ~/myweb > > Thanks for the update. > > Short options with optional args are very problematic. It would mean `cp > -aZ` was OK while `cp -Za` was not etc. Also in Red Hat distros, `cp -Z` > requires an arg, so changing that would mean that older scripts that used > `cp -Z blah...` would break with newer cp, as a space is not allowed for > optional args. > > For that reason I would keep -Z and --context as is, but deprecate them for > the commands that set a context, and add a new --new-context option that > could take the optional arg: > > In that way, -Z can continue to be used as it is commonly with commands > like `ls` etc. to _read_ the context. Whereas the currently rare form of > {mkdir,cp,install} -Z context:to_write can be deprecated in favor of: > > --new-context[=CONTEXT] set security context to CONTEXT, or set context to > the system default for the destination. > > I'm mildly in favor of introducing --new-context, over just making > --context take an optional arg (so that it's obvious a new context is being > set, rather than one being copied), but I'm strongly against making -Z take > an optional arg. > > cheers, Pádraig.
If I made the -Z option not take an optional arg but default to "setting the default context, on the commands that create new content", are you ok with that? Then make --context or --new-context always take an arg? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCSdywACgkQrlYvE4MpobNqYwCfZGS3+PH5J81pTc0llGrYpFY2 A58AoL0KeSENexkAnJW/KDZSb21tQRfe =h+WZ -----END PGP SIGNATURE-----