selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] setfiles: clarify documented path resolution behaviour
@ 2020-06-04 19:12 Jonathan Lebon
  2020-06-08 15:18 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Jonathan Lebon @ 2020-06-04 19:12 UTC (permalink / raw)
  To: selinux; +Cc: Jonathan Lebon

One thing that confused me when investigating
https://github.com/SELinuxProject/selinux/issues/248 (i.e.
https://github.com/coreos/fedora-coreos-tracker/issues/512) was that the
manual page for `setfiles` seemed to imply that paths were fully
resolved. This was consistent with the issues above where `setfiles` was
failing because the target of the symbolic link didn't exist.

But in fact, the wording around symbolic links in
`setfiles`/`restorecon` refers actually to whether the parent
directories are canonicalized via `realpath(3)` before labeling.

Clarify the man pages to explain this.
---
 policycoreutils/setfiles/restorecon.8 | 4 ++--
 policycoreutils/setfiles/setfiles.8   | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index bbfc83fe..06ec5a1d 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -159,8 +159,8 @@ The pathname for the file(s) to be relabeled.
 .SH "NOTES"
 .IP "1." 4
 .B restorecon
-does not follow symbolic links and by default it does not
-operate recursively on directories.
+by default does not operate recursively on directories. Parent directories
+are fully resolved before labeling.
 .IP "2." 4
 If the
 .I pathname
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 0188a75a..12f41967 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -214,7 +214,8 @@ option is used.
 .SH "NOTES"
 .IP "1." 4
 .B setfiles
-follows symbolic links and operates recursively on directories.
+operates recursively on directories. Parent directories are not fully
+resolved before labeling.
 .IP "2." 4
 If the
 .I pathname
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] setfiles: clarify documented path resolution behaviour
  2020-06-04 19:12 [PATCH] setfiles: clarify documented path resolution behaviour Jonathan Lebon
@ 2020-06-08 15:18 ` Stephen Smalley
  2020-06-18 18:25   ` Jonathan Lebon
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-06-08 15:18 UTC (permalink / raw)
  To: Jonathan Lebon; +Cc: SElinux list

On Thu, Jun 4, 2020 at 3:26 PM Jonathan Lebon <jlebon@redhat.com> wrote:
>
> One thing that confused me when investigating
> https://github.com/SELinuxProject/selinux/issues/248 (i.e.
> https://github.com/coreos/fedora-coreos-tracker/issues/512) was that the
> manual page for `setfiles` seemed to imply that paths were fully
> resolved. This was consistent with the issues above where `setfiles` was
> failing because the target of the symbolic link didn't exist.
>
> But in fact, the wording around symbolic links in
> `setfiles`/`restorecon` refers actually to whether the parent
> directories are canonicalized via `realpath(3)` before labeling.
>
> Clarify the man pages to explain this.

Missing Signed-off-by line.  Otherwise I guess it is an improvement
although I think it is still somewhat unclear.
Maybe we should explicitly say that they are canonicalized via
realpath(3) in the man page.

> ---
>  policycoreutils/setfiles/restorecon.8 | 4 ++--
>  policycoreutils/setfiles/setfiles.8   | 3 ++-
>  2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index bbfc83fe..06ec5a1d 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -159,8 +159,8 @@ The pathname for the file(s) to be relabeled.
>  .SH "NOTES"
>  .IP "1." 4
>  .B restorecon
> -does not follow symbolic links and by default it does not
> -operate recursively on directories.
> +by default does not operate recursively on directories. Parent directories
> +are fully resolved before labeling.
>  .IP "2." 4
>  If the
>  .I pathname
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index 0188a75a..12f41967 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -214,7 +214,8 @@ option is used.
>  .SH "NOTES"
>  .IP "1." 4
>  .B setfiles
> -follows symbolic links and operates recursively on directories.
> +operates recursively on directories. Parent directories are not fully
> +resolved before labeling.
>  .IP "2." 4
>  If the
>  .I pathname
> --
> 2.26.2
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] setfiles: clarify documented path resolution behaviour
  2020-06-08 15:18 ` Stephen Smalley
@ 2020-06-18 18:25   ` Jonathan Lebon
  0 siblings, 0 replies; 3+ messages in thread
From: Jonathan Lebon @ 2020-06-18 18:25 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SElinux list

On Mon, Jun 8, 2020 at 11:19 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> Missing Signed-off-by line.  Otherwise I guess it is an improvement
> although I think it is still somewhat unclear.
> Maybe we should explicitly say that they are canonicalized via
> realpath(3) in the man page.

Thanks, I spelled it out even more in v2.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-18 18:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-04 19:12 [PATCH] setfiles: clarify documented path resolution behaviour Jonathan Lebon
2020-06-08 15:18 ` Stephen Smalley
2020-06-18 18:25   ` Jonathan Lebon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).