[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libguestfs] [PATCH V3] NEW API: add a new api restorecon



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2012 09:42 AM, Richard W.M. Jones wrote:
> On Mon, Oct 29, 2012 at 09:29:16AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 10/28/2012 04:45 AM, Richard W.M. Jones wrote:
>>> On Fri, Oct 26, 2012 at 09:47:40AM +0800, Wanlong Gao wrote:
>>>> So, Rich, we have some problems here?
>>> 
>>> Yeah, I don't see a way to use the restorecon API safely.
>>> 
>>> Rich.
>>> 
>> Why is that?  selabel_file, with setfilecon() or setfscreatecon() should
>> be able to do what you want?
> 
> I mean the API as proposed in the patch, where it just runs "restorecon"
> from the host on the guest.  There may be other ways to do it, but none of
> them seem simpler than the way we currently do it (touching /.autorelabel
> in the guest).
> 
> Rich.
> 
Yes, as has been stated restorecon will probably not work because it will
either get the wrong labels from the host or think that SELinux is disabled
and do nothing.

/usr/sbin/setfiles PATHTOFILECONTE PATHTORESTORE

Would work on a machine even if it thought SELinux was disabled and you could
specify the path,

Or you could use the  c API.

Or you could just trigger a reboot when the system starts up by executing
touch /.autorelabel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCOjRUACgkQrlYvE4MpobMHBQCfVL61kooHMlRLn9fEUDBg0akf
uDUAoNuwqXhWWe/2IK8HasDDA50smUSn
=F+Nq
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]