On Tuesday 27 May 2014 14:25:08 Richard W.M. Jones wrote:
So I think an API which looks like this ...
required params:
None
optional params:
path =>
Either a directory to be relabelled recursively, or a single
file (defaults to "/").
root =>
Inspection root of guest. Optional, only makes sense when
'contexts' param is *omitted*.
contexts =>
The `file_contexts' file. Defaults to
/etc/selinux/$selinux_type/contexts/files/file_contexts
OSTree would probably want to pass:
/ostree/deploy/$osname/deploy/$checksum/etc/selinux/targeted/contexts
/files/file_contexts
Inspection could be updated to parse /etc/selinux/config in order to
get the default SELinux policy and pass it back through an API such as
`inspect-get-selinux-type'.
If 'contexts' is omitted, 'root' must be supplied, and it causes an
internal call to guestfs_inspect_get_selinux_type (g, root) in order
to get the default policy.
Note that not specifying a root could lead to issues, as the file
contexts are relative to a root. So if I say to relabel the path
/guestmountpoint/etc/myconfig according to some /path/of/file_contexts
without specifying what is the root, how should setfiles know that path
is /etc/myconfig mounted at /guestmountpoint?
At this point I'm thinking the best option would be making the root a
normal (mandatory) argument, leaving path and contexts as optional (with
the former being "/" as default value, and the latter as "find it from
the root").
In the situation above, path would become a relative path to the
specified root (so if I mount a guest into /guest and I want to relabel
it only under /etc, I would pass root=/guest and path=/etc).
--
Pino Toscano