| Summary: | restorecon -n is not documented well: It does not report mis-labeled files unless -v is specified | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dale R. Worley <worley> |
| Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-23 19:44:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Note: /common/home in the above listings should be changed to /home to illustrate how the scenario would execute in a normal filesystem layout. I will fix this in F20 and future versions. |
Description of problem: "restorecon -n" does not display the names of the files whose labels would be changed by "restorecon". To get that information, you need to specify "-v" as well. But the manual page leaves the impression that -v is not necessary. Version-Release number of selected component (if applicable): policycoreutils-2.1.14-46.4.fc19.x86_64 How reproducible: reproducible Steps to Reproduce: 1. chcon unconfined_u:object_r:default_t:s0 /common/home/worley/.config/user-dirs.dirs 2. ls -Z /common/home/worley/.config/user-dirs.dirs -rw-------. worley worley unconfined_u:object_r:default_t:s0 /common/home/worley/.config/user-dirs.dirs 3. restorecon -n /common/home/worley/.config/user-dirs.dirs 4. ls -Z /common/home/worley/.config/user-dirs.dirs -rw-------. worley worley unconfined_u:object_r:default_t:s0 /common/home/worley/.config/user-dirs.dirs 5. restorecon -nv /common/home/worley/.config/user-dirs.dirs restorecon reset /common/home/worley/.config/user-dirs.dirs context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:config_home_t:s0 6. ls -Z /common/home/worley/.config/user-dirs.dirs -rw-------. worley worley unconfined_u:object_r:default_t:s0 /common/home/worley/.config/user-dirs.dirs 7. restorecon /common/home/worley/.config/user-dirs.dirs 8. ls -Z /common/home/worley/.config/user-dirs.dirs -rw-------. worley worley unconfined_u:object_r:config_home_t:s0 /common/home/worley/.config/user-dirs.dirs Actual results: The "-n" simply stops restorecon from changing the labels. To list the label changes that are "needed", "-nv" must be used. Expected results: I expected that "restorecon -n" will list the label changes that are "needed" instead of changing the labels. Additional info: restorecon normally re-labels files according to the specifications in /etc/selinux/<policy>/contexts. The -n option is documented as: -n don't change any file labels (passive check). Because of the phrase "passive check", this naive user assumed that "restorecon -n" would output a list of files whose labels would be changed by "restorecon" (in much the same way that "make -n" tells what "make" would do, but does not do it). It turns out that -n only suppresses changing labels, but does not cause anything to be printed in its place. (Perhaps any errors that are encountered will be printed.) For the effect that I wanted/expected, one must specify "restorecon -nv". I suspect that it would be unadvisable at this late date to change the behavior of "restorecon -n" to what I expect. Instead, it would help a great deal if the documentation of the -n option was enlarged to: -n don't change any file labels (passive check). To display the files whose labels would be changed, add -v.