Re: Make mv work better with SELinux.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2012 10:56 AM, Pádraig Brady wrote:
> On 12/04/2012 03:38 PM, Pádraig Brady wrote:
>> On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> One of if not the most common problem people hit with SELinux is the
>>> mv command, which maintains the file context of the source
>>> destination.
>>> 
>>> mv /home/dwalsh/index.html /var/www/html/
>>> 
>>> This blows up on everybody and then the users have no idea why.
>>> 
>>> I was thinking about adding -Z (--restorecon) to mv and having it
>>> basically do a internal restorecon on the destination.
>>> 
>>> Then we could suggest people who get burnt by this to:
>>> 
>>> alias mv="mv -Z"
>>> 
>>> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling
>>> the regex, so there should be very little slow down in doing this.
>> 
>> A question on performance. So there was a large matchpathcon()
>> performance issue in Fedora 11 time, where we had a 20x slow down if
>> matchpathcon_init_prefix() wasn't called 
>> https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24
>> 
>> Does calling matchpathcon_init_prefix() still provide benefit on Fedora
>> 18? More importantly, since the new selinux::restorecon_private()
>> doesn't call matchpathcon_init_prefix(), will it have the large
>> performance issues on Fedora <= 17 and other SELinux supporting
>> platforms?
>> 
>> Not a huge issue since install(1) enables setdefaultfilecon() by
>> default, whereas the new proposal would only enable when -Z is
>> specified. That's an inconsistency in the patch in this thread actually. 
>> install -Z runs the new restorecon(), while also running the old 
>> setdefaultfilecon(). Seems like we may need to drop the new install -Z 
>> code for now, and possible in future merge restorecon() and
>> setdefaultfilecon()
> 
> Also could you comment on the different schemes used by restorecon() and
> setdefaultfilecon(). The old setdefaultfilecon() sets the context of the
> dest files to that returned by matchpathcon directly, whereas the new 
> restorecon() only uses the "type" portion of the context from
> matchpathcon() and inserts that into the exisiting context for the dest
> file.
> 
> thanks, Pádraig.

restorecon says set the file to the system default, and does not take into
account the level of the currently running process.

Lets imaging you have a process running as staff_u:sysadm_r:sysadm_t:s0:c1,c2
 on an MLS box.

cp ~dwalsh/resolv.conf /etc

The file would be created as staff_u:object_r:etc_t:s0:c1,c2

If we went with the traditional restorecon command,

cp -Z ~dwalsh/resolv.conf /etc

The file would be created as

system_u:object_r:resolv_conf_t:s0

With the new method it will be created as:

staff_u:object_r:resolv_conf_t:s0:c1,c2

Which means it would honor the intent of MLS to preserve the MLS level of the
data and preserve the user identity of the data.

Which seems to be more correct.


restorecon /etc/resolv.conf

In F18 also does not change the MLS level or SELinux User by default,  It only
changes the type field.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC/pAAACgkQrlYvE4MpobPuJwCgrOF4kv+KdXDknZXXlnGqDOkU
6d4AoLRi5SNQSrfsFflIy4PAJMxwpWs3
=odVY
-----END PGP SIGNATURE-----