On 12/01/17 20:01, Stephen Smalley wrote:
On Wed, 2017-01-11 at 12:41 +0000, Alan Jenkins wrote:
fixfiles links to restorecon. However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script. fixfiles is more generally useful than
`restorecon -R`. For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to
relabel
`/sys` and fail noisily.
Thanks, applied both patches.
yay!
Wondering though about the behavior
you describe above; restorecon -R /sys only issues one error message
for me and otherwise works fine,
# restorecon -R /sys
Could not set context for /sys/fs/cgroup: Read-only file system
It turned out fixfiles also generated similar noise. I suspect this
involved `-v` (in both cases), sorry.
Fedora Workstation 25:
"fixfiles spams warnings about debugfs. (docs say it only touches "real"
filesystems!)" https://bugzilla.redhat.com/show_bug.cgi?id=1412747
Perhaps the root cause is actually the same. I still prefer the
messages from fixfiles though. It explicitly detected conflicting
labels on hardlinks
https://bugzilla.redhat.com/show_bug.cgi?id=1411371
and informed me in advance when it decided to traverse and relabel five
of my virtual filesystems
Checking / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm
/home /run /run/user/1000 /run/user/1001 /run/user/42 /sys
/sys/fs/pstore /sys/kernel/debug /tmp
(I doubt devtmpfs files are _intended_ to be labeled like this either.
OTOH the stupidity doesn't seem to affect it, so I won't complain there).
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
