On Thursday, 24 September 2020 13:53:57 CEST Richard W.M. Jones wrote: > > Considering that /tmp is a general location for temporary files, it's > > common that files may end with a tmp_t-alike label when moved back to > > the destination place (e.g. after a rename()). That is not the only > > situation like this that I saw in the past. > > > > In permissive mode, all these situation are logged in the audit log, > > yes, but they cause no blocks nor errors. > > > > > It's also fine for an administrator to > > > switch a system to permissive and then back to enforcing without > > > relabelling or rebooting. > > > > A mislabelled /etc/passwd is still read and used fine in permissive > > mode. Switch back from permissive to enforcing without a relabelling > > is generally not a good idea, especially after the system ran for a > > lot of time after the switch to permissive. > > It's seems true from what you wrote above that someone could copy > /tmp/passwd -> /etc/passwd and it would have a wrong label. But > virt-v2v could fix that label, which even in permissive mode sounds > like a win.
The question is: why? If the system had wrong labels even for system files, and the administrator did not bother/want to fix them (because of permissive), why should virt-v2v? Even if virt-v2v relabels a permissive guest, the labels will get out of sync once the guest runs again and does its own stuff, so there is no gain here. > My question is what's the down-side to relabelling in permissive mode? Time spend doing something that is not useful/used for the guest. -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
