improvement of setfiles man page

improvement of setfiles man page

[clime]

Hello,

isn't it a bit strange that when i invoke

setfiles -F /etc/selinux/targeted/contexts/files/file_contexts /

it apparently also reads other files from
/etc/selinux/targeted/contexts/files/ like file_contexts.homedirs or
file_contexts.subs. I mean i am lucky it does but it doesn't seem
to be described in man pages. Could the documentation be improved in
this respect? I.e. state that it also can read other spec files than
just the one specified? (in some friendly form)

What I care about is differences of that command to restorecon, i.e. i
think that in the man page some info might be missing. There is this
thing regarding reading the spec files and then also here:
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L174,
some more differences are mentioned. Recursive descent is already
mentioned in the man page but stuff like "Does not follow mounts"
isn't.

Could anyone, please, tweak the man page to point out those differences?

I am also attaching my conversation with grift on freenode #selinux
channel about this to provide more context. I was supposed to send a
patch for the man pages on this but I don't really feel like I can
provide correct formulations of this.

Thank you
clime (Michal Novotny)

The conversation:

2020-02-14 22:06:42 clime   hi, isn't it a bit strange that when i
invoke setfiles -F /etc/selinux/targeted/contexts/files/file_contexts
/, it apparently also reads other files from
/etc/selinux/targeted/contexts/files/ like file_contexts.homedirs or
file_contexts.subs. I mean i am lucky it does but it doesn't seem
to be described in man pages. What i care about is compatibility of
that command with restorecon
2020-02-14 22:07:57 grift   what you mean compatibility? restorecon is
a symlink to setfiles
2020-02-14 22:09:46 clime   grift: i mean that the command produces
the same labelling in the end as restorecon -R / would.
2020-02-14 22:23:12 grift   yes i guess it could be documented better
2020-02-14 22:26:21 grift   the differences are documented in the source it self
2020-02-14 22:26:34 grift
https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L192
2020-02-14 22:27:26 grift   so i guess it could be considered to add a
summery of the differences between setfiles being invaoke as setfiles
and as restorecon
2020-02-14 22:27:55 clime   yes, that would be great
2020-02-14 22:28:22 clime   should i file a bug somewhere?
2020-02-14 22:28:49 grift   can't you just send a patch to selinx maillist
2020-02-14 22:29:11 grift   i mean you could just copy and paste the
comments almost
2020-02-14 22:30:12 grift   recursive descent by default vs. no
recursive descent by default
2020-02-14 22:30:49 grift   does not expand paths via realpath vs.
expands path via realpath
2020-02-14 22:31:00 grift   .... etc
2020-02-14 22:31:15 grift   6 main differences
2020-02-14 22:31:25 clime   ok
2020-02-14 22:33:08 clime   i am still confused about how setfiles
really processes that spec_file argument (e.g.)
/etc/selinux/targeted/contexts/files/file_contexts i would expect it's
the only file it reads but no it reads also other associated files
2020-02-14 22:34:04 clime   and how restorecon (setfiles invoked under
that handle) is different in respect to that....
2020-02-14 22:35:01 grift   well it might not be different except for
the fact that restorecon does lazy init of file contexts?
2020-02-14 22:37:19 grift   dunno
2020-02-14 22:41:22 grift   probably this is used but i am not sure
:https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label.c
2020-02-14 22:41:47 grift
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label_file.c
2020-02-14 22:42:32 clime
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label_file.c
... just found it too
2020-02-14 22:42:36 clime   you were faster
2020-02-14 22:42:53 grift   i think they probably both use the same code
2020-02-14 22:43:58 clime   yes
2020-02-14 22:45:08 clime   e.g. this is why .subs_dist gets processed
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/label_file.c#L746
2020-02-14 22:45:39 clime   anyway, i will post the pach to the
selinux mailing list probly will need some tweaks but i may try
2020-02-14 22:46:52 grift   basically all stuff in
/etc/selinux/TYPE/contexts/files is used if it exists
2020-02-14 22:47:05 grift   but if you specific a custom spec then that is used
2020-02-14 22:48:00 clime   yes that spec together with all the other
files around with recognized extensions
2020-02-14 22:48:31 grift   i see
2020-02-14 22:53:28 grift   you could also add a practical example
because setfiles is usually used in specific scenarios
2020-02-14 22:55:27 grift   this is a typical scenario for why you
would use setfiles:
2020-02-14 22:55:32 grift    339     /usr/sbin/setfiles -F -r /mnt/example \
2020-02-14 22:55:32 grift    340
/etc/selinux/dssp2-standard/contexts/files/file_contexts \
2020-02-14 22:55:32 grift    341                        /mnt/example/
2020-02-14 22:56:42 grift   basically to label images, pretty niche
2020-02-14 22:57:01 grift   and stuff like fixfiles abstracts it probably
2020-02-14 23:09:53 clime   yes, this is basically what i am trying to
do with setfiles
2020-02-14 23:12:26 clime   except it works better for me if i do
chroot /mnt/example first. That way setfiles doesn't complain about
unknown labels. Didn't yet find out why exactly