On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One of if not the most common problem people hit with SELinux is the mv
command, which maintains the file context of the source destination.
mv /home/dwalsh/index.html /var/www/html/
This blows up on everybody and then the users have no idea why.
I was thinking about adding -Z (--restorecon) to mv and having it basically do a
internal restorecon on the destination.
Then we could suggest people who get burnt by this to:
alias mv="mv -Z"
In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the
regex, so there should be very little slow down in doing this.
A question on performance.
So there was a large matchpathcon() performance issue in Fedora 11 time,
where we had a 20x slow down if matchpathcon_init_prefix() wasn't called
https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24
Does calling matchpathcon_init_prefix() still provide benefit on Fedora 18?
More importantly, since the new selinux::restorecon_private() doesn't
call matchpathcon_init_prefix(), will it have the large performance
issues on Fedora <= 17 and other SELinux supporting platforms?
Not a huge issue since install(1) enables setdefaultfilecon() by default,
whereas the new proposal would only enable when -Z is specified.
That's an inconsistency in the patch in this thread actually.
install -Z runs the new restorecon(), while also running the old
setdefaultfilecon(). Seems like we may need to drop the new install -Z
code for now, and possible in future merge restorecon() and setdefaultfilecon()