Two related issues I just discovered with restorecon (sorry, I'm not close
to my private laptop so I can't provide patches):
1) When running "restorecon -r /", restorecon (setfiles) wants to write an
audit message that the whole fs is being relabeled (only happens when doing
it on /), but the refpolicy doesn't seem to give setfiles_t access to write
audit messages which I guess it should.
2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
the same audit message as above - which would be misleading since it's not
actually changing any labels.
--
David H?rdeman
On 02/04/2011 08:14 AM, David H?rdeman wrote:
> Two related issues I just discovered with restorecon (sorry, I'm not close
> to my private laptop so I can't provide patches):
>
> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
> audit message that the whole fs is being relabeled (only happens when doing
> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
> audit messages which I guess it should.
>
> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
> the same audit message as above - which would be misleading since it's not
> actually changing any labels.
>
Could you open two bugzillas
The first one would be a policy issue. The second would be a
polcycoreutils issue.
There is a rule in MLS/LSPP that says a full relabel requires an audit
message. Which is why setfiles/restorecon sends and audit message on
restorecon -R -v /
On Fri, Feb 04, 2011 at 08:55:04AM -0500, Daniel J Walsh wrote:
>On 02/04/2011 08:14 AM, David H?rdeman wrote:
>> Two related issues I just discovered with restorecon (sorry, I'm not close
>> to my private laptop so I can't provide patches):
>>
>> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
>> audit message that the whole fs is being relabeled (only happens when doing
>> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
>> audit messages which I guess it should.
>>
>> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
>> the same audit message as above - which would be misleading since it's not
>> actually changing any labels.
>>
>Could you open two bugzillas
I'm sorry, you got me confused...bugzilla entries in the redhat bugzilla
database? I'm not a redhat user... (and apologies for not replying
straight away)...
--
David H?rdeman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/28/2011 06:14 PM, David H?rdeman wrote:
> On Fri, Feb 04, 2011 at 08:55:04AM -0500, Daniel J Walsh wrote:
>> On 02/04/2011 08:14 AM, David H?rdeman wrote:
>>> Two related issues I just discovered with restorecon (sorry, I'm not close
>>> to my private laptop so I can't provide patches):
>>>
>>> 1) When running "restorecon -r /", restorecon (setfiles) wants to write an
>>> audit message that the whole fs is being relabeled (only happens when doing
>>> it on /), but the refpolicy doesn't seem to give setfiles_t access to write
>>> audit messages which I guess it should.
>>>
>>> 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write
>>> the same audit message as above - which would be misleading since it's not
>>> actually changing any labels.
>>>
>> Could you open two bugzillas
>
> I'm sorry, you got me confused...bugzilla entries in the redhat bugzilla
> database? I'm not a redhat user... (and apologies for not replying
> straight away)...
>
Yes I was thinking the Red Hat bugzilla, but now that you mention it, we
do allow the first in Red Hat/Fedora policy and the second is a bug in
policycoreutils/restorecon. (But not sure whether I would say it is a
high priority.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2R5SkACgkQrlYvE4MpobPOxwCgraDPXrKFxeGc+EDftq5kg5Jm
vFgAoLzNaNLJBUAJswIbWdL3itkqlOfL
=fTxr
-----END PGP SIGNATURE-----