Discussion:
[PATCH] libselinux: log no default label warning in verbose mode
Christian Göttsche via Selinux
2017-09-11 10:41:41 UTC
Permalink
Since 1cd972f restorecon does not print a warning in recurse mode for child files without a default label.
Change it back in verbose mode:

$ touch /run/test.pid
$ restorecon -R /run
$ restorecon -v -R /run
Warning no default label for /run/test.pid

Signed-off-by: Christian Göttsche <***@googlemail.com>
---
libselinux/src/selinux_restorecon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index ced41152..6d0eabe0 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -614,7 +614,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
sb->st_mode);

if (rc < 0) {
- if (errno == ENOENT && flags->warnonnomatch)
+ if (errno == ENOENT && (flags->verbose || flags->warnonnomatch))
selinux_log(SELINUX_INFO,
"Warning no default label for %s\n",
lookup_path);
--
2.14.1
Stephen Smalley
2017-09-12 16:04:21 UTC
Permalink
On Sep 11, 2017 3:45 AM, "Christian Göttsche via Selinux" <
***@tycho.nsa.gov> wrote:

Since 1cd972f restorecon does not print a warning in recurse mode for child
files without a default label.
Change it back in verbose mode:

$ touch /run/test.pid
$ restorecon -R /run
$ restorecon -v -R /run
Warning no default label for /run/test.pid


This seems to revert what was an intentional change to avoid noise in
fixfiles check output. See the mailing list discussions that preceded and
followed the patch.


Signed-off-by: Christian Göttsche <***@googlemail.com>
---
libselinux/src/selinux_restorecon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_
restorecon.c
index ced41152..6d0eabe0 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -614,7 +614,7 @@ static int restorecon_sb(const char *pathname, const
struct stat *sb,
sb->st_mode);

if (rc < 0) {
- if (errno == ENOENT && flags->warnonnomatch)
+ if (errno == ENOENT && (flags->verbose ||
flags->warnonnomatch))
selinux_log(SELINUX_INFO,
"Warning no default label for %s\n",
lookup_path);
--
2.14.1
Christian Göttsche
2017-09-12 19:49:46 UTC
Permalink
Post by Stephen Smalley
This seems to revert what was an intentional change to avoid noise in
fixfiles check output. See the mailing list discussions that preceded and
followed the patch.
In my opinion, it's a helpful noise, which is triggered by an intended
file context `<<none>>`.
Is there any hack to get the old behavior back other than `find /run
-exec restorecon -n {} \;`?
Stephen Smalley
2017-09-12 22:09:33 UTC
Permalink
Post by Stephen Smalley
This seems to revert what was an intentional change to avoid noise in
fixfiles check output. See the mailing list discussions that preceded and
followed the patch.
In my opinion, it's a helpful noise, which is triggered by an intended
file context `<<none>>`.
Is there any hack to get the old behavior back other than `find /run
-exec restorecon -n {} \;`?


Why is that helpful/useful? It seems counterintuitive to warn the user that
you didn't label a file that was explicitly configured to not be labeled.
The only case where it makes sense is if the user explicitly requested to
label that particular file.

Loading...