Bug 1084471

Ah, sorry, my fault... this looks like not a bug (sorry for confusion).
As written in NEWS, -Z by default doesn't accept any argument. Therefore your command tries to make a special device system_u:object_r:random_device_t:s0 ... you have to use --context option for setting the context, with short one, the default context will get set.

This is stated in NEWS as change in behaviour in 8.22:
"cp, install, mkdir, mknod, mkfifo and mv now support "restorecon"
functionality through the -Z option, to set the SELinux context
appropriate for the new item location in the file system."

Although
"id and ls with -Z report the SMACK security context where available.
mkdir, mkfifo and mknod with -Z set the SMACK context where available."

is probably a bit confusing as --context has to be used for setting the context (otherwise optarg is NULL for the short version).

  cp, install, mkdir, mknod and mkfifo no longer accept an argument to the
  short -Z option.  The --context equivalent still takes an optional argument.

is the most important NEWS entry I forgot to add in the previous comment.

Squares are likely quotes in the encoding your terminal is not able to display. I expect you were connected via ssh to different machine and locales there were not supported by your machine (this is just to comment on the squares) - still not a bug in coreutils.

Hi Ondrej,

Thanks for your analysis so far.

Can you please share the exact command i should run to overcome such error? as i am still not sure how to execute the correct syntax. if i execute in below format then it will execute successfully but it will take default context and i would like to set it to "system_u:object_r:random_device_t:s0" context.

#mknod -m 666 --context /dev/random2 c 1 9

Regarding comments on squares, i installed the RHEL7 snapshot 11 and logged in as a root on VM console (not from remote server ssh) and executed that command. 

Regards,
manish

Hi Manish,
command
mknod -m 666 --context=system_u:object_r:random_device_t:s0 /dev/random2 c 1 9
should work...

As to squares, try to run `locale` command in the console. Using LC_ALL=C as the envvar in the script should help to get rid off the squares. Squares can show up when the utf-8 character is not supported in the terminal encoding, but with C locales you basically force ASCII to be used instead of UTF-8 chars.

Hi Ondrej,

Yes, it works !! 

As per man page below is the command to update the context but it is not clear from below command security context is not require in case when execute it with -Z so i think it needs to be update.
Should we file a documentation bug to modify this for change in behaviour on RHEL7 snapshot 11? please confirm.

"man mknod"
 -Z, --context=CTX
              set the SELinux security context of NAME to CTX



As if i execute this command with -Z and with --context then still it works-

#mknod -m 666 -Z --context=system_u:object_r:random_device_t:s0 /dev/random2 c 1 9


Regards,
Manish Saxena
GSS, Red Hat Inc.

Using both -Z (restore default one) and --context (set different one) doesn't make much sense. Yes, I agree this is a bit confusing -
as in the case of
-m, --mode=MODE , -m requires the MODE parameter,
but in the case of 
-Z, --context[=CTX] , -Z requires no argument... actually, I would suggest to split this to two lines in all utilities using this behaviour.

Documentation bug will not help, I'll ask upstream about their opinion (if the split to two lines is acceptable or not) and if accepted, we can reopen this bugzilla and use it for tracking the manpage and help output change.

Upstream seems to agree with this docs change - although it is quite common practice to have optional arguments only for long options. 
Upstream report - http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17220 ... reopening and changing summary.

Hi Manish. Can you confirm that on the latest RHEL 7 that the  `man mknod` output in comment 9 is accurate.

You say it is:
  -Z, --context=CTX
               set the SELinux security context of NAME to CTX

While I would expect it to be:
  -Z, --context[=CTX]
         set the SELinux security context of NAME to default type, or set
         the SELinux or SMACK security context to CTX if specified

In any case we'll clarify this further upstream.

On RHEL 7.0 Beta (Maipo) & uname -r ( 3.10.0-54.0.1.el7.x86_64 ) it is below -
------------------------------------------------------------------

-Z, --context=CTX
               set the SELinux security context of NAME to CTX

Whereas on RHEL 7 Snapshot 11 & uname -r ( 3.10.0-113.el7.x86_64 ) it is below -
-------------------------------------------------------------------

  -Z, --context[=CTX]
         set the SELinux security context of NAME to default type, or to CTX if specified


I believe it would be better if split it in two lines as below -
-----------------------------------------------
 -Z   set the SELinux security context of NAME to default type

 --context[=CTX]   set the SELinux or SMACK security context to CTX if specified


Thanks.
manish

Thanks Manish. Improved text is now merged upstream:

http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=30acfcab

Thanks Padraig.

*** Bug 1100375 has been marked as a duplicate of this bug. ***

Making public, as it contain any sensitive information and there was public duplicate.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2160.html