-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/29/2012 09:42 AM, Richard W.M. Jones wrote:
On Mon, Oct 29, 2012 at 09:29:16AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 10/28/2012 04:45 AM, Richard W.M. Jones wrote:
>> On Fri, Oct 26, 2012 at 09:47:40AM +0800, Wanlong Gao wrote:
>>> So, Rich, we have some problems here?
>>
>> Yeah, I don't see a way to use the restorecon API safely.
>>
>> Rich.
>>
> Why is that? selabel_file, with setfilecon() or setfscreatecon() should
> be able to do what you want?
I mean the API as proposed in the patch, where it just runs "restorecon"
from the host on the guest. There may be other ways to do it, but none of
them seem simpler than the way we currently do it (touching /.autorelabel
in the guest).
Rich.
Yes, as has been stated restorecon will probably not work because it will
either get the wrong labels from the host or think that SELinux is disabled
and do nothing.
/usr/sbin/setfiles PATHTOFILECONTE PATHTORESTORE
Would work on a machine even if it thought SELinux was disabled and you could
specify the path,
Or you could use the c API.
Or you could just trigger a reboot when the system starts up by executing
touch /.autorelabel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://www.enigmail.net/
iEYEARECAAYFAlCOjRUACgkQrlYvE4MpobMHBQCfVL61kooHMlRLn9fEUDBg0akf
uDUAoNuwqXhWWe/2IK8HasDDA50smUSn
=F+Nq
-----END PGP SIGNATURE-----