[PATCH] libselinux: log no default label warning in verbose mode

[PATCH] libselinux: log no default label warning in verbose mode

[Christian Göttsche]

Since 1cd972f restorecon does not print a warning in recurse mode for child files without a default label.
Change it back in verbose mode:

$ touch /run/test.pid
$ restorecon -R /run
$ restorecon -v -R /run
Warning no default label for /run/test.pid

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/selinux_restorecon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index ced41152..6d0eabe0 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -614,7 +614,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
 						    sb->st_mode);
 
 	if (rc < 0) {
-		if (errno == ENOENT && flags->warnonnomatch)
+		if (errno == ENOENT && (flags->verbose || flags->warnonnomatch))
 			selinux_log(SELINUX_INFO,
 				    "Warning no default label for %s\n",
 				    lookup_path);
-- 
2.14.1

Re: [PATCH] libselinux: log no default label warning in verbose mode

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1415 bytes --]

On Sep 11, 2017 3:45 AM, "Christian Göttsche via Selinux" <
selinux@tycho.nsa.gov> wrote:

Since 1cd972f restorecon does not print a warning in recurse mode for child
files without a default label.
Change it back in verbose mode:

$ touch /run/test.pid
$ restorecon -R /run
$ restorecon -v -R /run
Warning no default label for /run/test.pid


This seems to revert what was an intentional change to avoid noise in
fixfiles check output. See the mailing list discussions that preceded and
followed the patch.


Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/selinux_restorecon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_
restorecon.c
index ced41152..6d0eabe0 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -614,7 +614,7 @@ static int restorecon_sb(const char *pathname, const
struct stat *sb,
                                                    sb->st_mode);

        if (rc < 0) {
-               if (errno == ENOENT && flags->warnonnomatch)
+               if (errno == ENOENT && (flags->verbose ||
flags->warnonnomatch))
                        selinux_log(SELINUX_INFO,
                                    "Warning no default label for %s\n",
                                    lookup_path);
--
2.14.1

[-- Attachment #2: Type: text/html, Size: 2326 bytes --]

Re: [PATCH] libselinux: log no default label warning in verbose mode

[Christian Göttsche]

> This seems to revert what was an intentional change to avoid noise in
> fixfiles check output. See the mailing list discussions that preceded and
> followed the patch.


In my opinion, it's a helpful noise, which is triggered by an intended
file context `<<none>>`.
Is there any hack to get the old behavior back other than `find /run
-exec restorecon -n {} \;`?

Re: [PATCH] libselinux: log no default label warning in verbose mode

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 718 bytes --]

On Sep 12, 2017 12:49 PM, "Christian Göttsche" <cgzones@googlemail.com>
wrote:

> This seems to revert what was an intentional change to avoid noise in
> fixfiles check output. See the mailing list discussions that preceded and
> followed the patch.


In my opinion, it's a helpful noise, which is triggered by an intended
file context `<<none>>`.
Is there any hack to get the old behavior back other than `find /run
-exec restorecon -n {} \;`?


Why is that helpful/useful? It seems counterintuitive to warn the user that
you didn't label a file that was explicitly configured to not be labeled.
The only case where it makes sense is if the user explicitly requested to
label that particular file.

[-- Attachment #2: Type: text/html, Size: 1137 bytes --]