1084471 – Clarify documentation for -Z/--context options

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1084471 - Clarify documentation for -Z/--context options

Summary: Clarify documentation for -Z/--context options

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	coreutils
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Ondrej Vasik
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1100375 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-04 12:35 UTC by Manish Saxena
Modified:	2018-12-05 18:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:	coreutils-8.22-13.el7
Doc Type:	Bug Fix
Doc Text:	The "-Z" option accepted by the cp, install, mkdir, mkfifo, and mknod utilities no longer requires an argument and instead restores the default SELinux context in Red Hat Enterprise Linux 7. However, the "--context" option, which is the long format version of "-Z", optionally accepts an argument. The differences in behavior of the two options sometimes confused users. The man pages documenting "-Z" and "--context" have been modified to describe the options separately and clarify their behavior.
Clone Of:
Environment:
Last Closed:	2015-11-19 12:44:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2160	0	normal	SHIPPED_LIVE	coreutils bug fix and enhancement update	2015-11-19 11:10:56 UTC

Comment 4 Ondrej Vasik 2014-04-05 20:13:14 UTC

Ah, sorry, my fault... this looks like not a bug (sorry for confusion).
As written in NEWS, -Z by default doesn't accept any argument. Therefore your command tries to make a special device system_u:object_r:random_device_t:s0 ... you have to use --context option for setting the context, with short one, the default context will get set.

This is stated in NEWS as change in behaviour in 8.22:
"cp, install, mkdir, mknod, mkfifo and mv now support "restorecon"
functionality through the -Z option, to set the SELinux context
appropriate for the new item location in the file system."

Although
"id and ls with -Z report the SMACK security context where available.
mkdir, mkfifo and mknod with -Z set the SMACK context where available."

is probably a bit confusing as --context has to be used for setting the context (otherwise optarg is NULL for the short version).

Comment 5 Ondrej Vasik 2014-04-05 20:14:53 UTC

  cp, install, mkdir, mknod and mkfifo no longer accept an argument to the
  short -Z option.  The --context equivalent still takes an optional argument.

is the most important NEWS entry I forgot to add in the previous comment.

Comment 6 Ondrej Vasik 2014-04-06 06:13:33 UTC

Squares are likely quotes in the encoding your terminal is not able to display. I expect you were connected via ssh to different machine and locales there were not supported by your machine (this is just to comment on the squares) - still not a bug in coreutils.

Comment 7 Manish Saxena 2014-04-07 11:50:50 UTC

Hi Ondrej,

Thanks for your analysis so far.

Can you please share the exact command i should run to overcome such error? as i am still not sure how to execute the correct syntax. if i execute in below format then it will execute successfully but it will take default context and i would like to set it to "system_u:object_r:random_device_t:s0" context.

#mknod -m 666 --context /dev/random2 c 1 9

Regarding comments on squares, i installed the RHEL7 snapshot 11 and logged in as a root on VM console (not from remote server ssh) and executed that command. 

Regards,
manish

Comment 8 Ondrej Vasik 2014-04-07 12:44:13 UTC

Hi Manish,
command
mknod -m 666 --context=system_u:object_r:random_device_t:s0 /dev/random2 c 1 9
should work...

As to squares, try to run `locale` command in the console. Using LC_ALL=C as the envvar in the script should help to get rid off the squares. Squares can show up when the utf-8 character is not supported in the terminal encoding, but with C locales you basically force ASCII to be used instead of UTF-8 chars.

Comment 9 Manish Saxena 2014-04-08 12:54:46 UTC

Hi Ondrej,

Yes, it works !! 

As per man page below is the command to update the context but it is not clear from below command security context is not require in case when execute it with -Z so i think it needs to be update.
Should we file a documentation bug to modify this for change in behaviour on RHEL7 snapshot 11? please confirm.

"man mknod"
 -Z, --context=CTX
              set the SELinux security context of NAME to CTX



As if i execute this command with -Z and with --context then still it works-

#mknod -m 666 -Z --context=system_u:object_r:random_device_t:s0 /dev/random2 c 1 9


Regards,
Manish Saxena
GSS, Red Hat Inc.

Comment 10 Ondrej Vasik 2014-04-08 13:40:41 UTC

Using both -Z (restore default one) and --context (set different one) doesn't make much sense. Yes, I agree this is a bit confusing -
as in the case of
-m, --mode=MODE , -m requires the MODE parameter,
but in the case of 
-Z, --context[=CTX] , -Z requires no argument... actually, I would suggest to split this to two lines in all utilities using this behaviour.

Documentation bug will not help, I'll ask upstream about their opinion (if the split to two lines is acceptable or not) and if accepted, we can reopen this bugzilla and use it for tracking the manpage and help output change.

Comment 11 Ondrej Vasik 2014-04-08 15:41:03 UTC

Upstream seems to agree with this docs change - although it is quite common practice to have optional arguments only for long options. 
Upstream report - http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17220 ... reopening and changing summary.

Comment 12 Pádraig Brady 2014-04-09 10:36:23 UTC

Hi Manish. Can you confirm that on the latest RHEL 7 that the  `man mknod` output in comment 9 is accurate.

You say it is:
  -Z, --context=CTX
               set the SELinux security context of NAME to CTX

While I would expect it to be:
  -Z, --context[=CTX]
         set the SELinux security context of NAME to default type, or set
         the SELinux or SMACK security context to CTX if specified

In any case we'll clarify this further upstream.

Comment 13 Manish Saxena 2014-04-10 11:42:31 UTC

On RHEL 7.0 Beta (Maipo) & uname -r ( 3.10.0-54.0.1.el7.x86_64 ) it is below -
------------------------------------------------------------------

-Z, --context=CTX
               set the SELinux security context of NAME to CTX

Whereas on RHEL 7 Snapshot 11 & uname -r ( 3.10.0-113.el7.x86_64 ) it is below -
-------------------------------------------------------------------

  -Z, --context[=CTX]
         set the SELinux security context of NAME to default type, or to CTX if specified


I believe it would be better if split it in two lines as below -
-----------------------------------------------
 -Z   set the SELinux security context of NAME to default type

 --context[=CTX]   set the SELinux or SMACK security context to CTX if specified


Thanks.
manish

Comment 14 Pádraig Brady 2014-04-11 13:39:54 UTC

Thanks Manish. Improved text is now merged upstream:

http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=30acfcab

Comment 15 Manish Saxena 2014-04-14 05:00:49 UTC

Thanks Padraig.

Comment 16 Ondrej Vasik 2014-05-23 04:54:47 UTC

*** Bug 1100375 has been marked as a duplicate of this bug. ***

Comment 17 Ondrej Vasik 2014-05-23 05:01:34 UTC

Making public, as it contain any sensitive information and there was public duplicate.

Comment 24 errata-xmlrpc 2015-11-19 12:44:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2160.html

Note You need to log in before you can comment on or make changes to this bug.