[Libguestfs] [PATCH V3] NEW API: add a new api restorecon
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 29 14:05:10 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/29/2012 09:42 AM, Richard W.M. Jones wrote:
> On Mon, Oct 29, 2012 at 09:29:16AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 10/28/2012 04:45 AM, Richard W.M. Jones wrote:
>>> On Fri, Oct 26, 2012 at 09:47:40AM +0800, Wanlong Gao wrote:
>>>> So, Rich, we have some problems here?
>>>
>>> Yeah, I don't see a way to use the restorecon API safely.
>>>
>>> Rich.
>>>
>> Why is that? selabel_file, with setfilecon() or setfscreatecon() should
>> be able to do what you want?
>
> I mean the API as proposed in the patch, where it just runs "restorecon"
> from the host on the guest. There may be other ways to do it, but none of
> them seem simpler than the way we currently do it (touching /.autorelabel
> in the guest).
>
> Rich.
>
Yes, as has been stated restorecon will probably not work because it will
either get the wrong labels from the host or think that SELinux is disabled
and do nothing.
/usr/sbin/setfiles PATHTOFILECONTE PATHTORESTORE
Would work on a machine even if it thought SELinux was disabled and you could
specify the path,
Or you could use the c API.
Or you could just trigger a reboot when the system starts up by executing
touch /.autorelabel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCOjRUACgkQrlYvE4MpobMHBQCfVL61kooHMlRLn9fEUDBg0akf
uDUAoNuwqXhWWe/2IK8HasDDA50smUSn
=F+Nq
-----END PGP SIGNATURE-----
More information about the Libguestfs
mailing list