On Tue, 07 Oct 2008 10:55:07 -0700, Jesse Keating wrote:
> Somebody else jumped on the thread and steered the conversation
> toward a virtualbox problem, which somewhat related to Jon's issue,
> it's not the same issue.

Right, mea culpa and sorry about that. I thought my problem had the
same root as the OP's problem, but it now appears I was wrong...

Cheers,
Christian

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David P. Quigley wrote:
> On Tue, 2008-10-07 at 09:42 -0400, Jon Masters wrote:
>> On Mon, 2008-10-06 at 15:17 -0500, Jerry Vonau wrote:
>>> Daniel J Walsh wrote:
>>>> Jon Masters wrote:
>>>>> On Fri, 2008-10-03 at 09:13 -0400, Daniel J Walsh wrote:
>>>>>
>>>>>>> $ mount -o loop Fedora-9-i386-DVD.iso /mnt
>>>>>>>
>>>>>>> And then one might legitimately expect to be able to copy the content
>>>>>>> of /mnt over to e.g. /somewhere/fedora/9/i386 for NFS installs. But
>>>>>>> suppose that one is running SELinux in enforcing mode, then this will
>>>>>>> fail because the contexts differ in this operation. Then, one will
>>>>>>> likely quickly become severely annoyed and frustrated with SELinux,
>>>>>>> simply setting it permissive for the duration of the operation...
>>> I've seen this...
>> Indeed. I have too, one too many times.
>>
>>> SELinux is preventing cp from creating a file with a context of
>>> iso9660_t on a
>>> filesystem.
>> Ah yes, I probably used the standard "cp -ax blah /blah" command. I
>> guess I'll need to learn not to use such standard commands in future and
>> adapt everything around SELinux. Because that's very non-obtrusive, and
>> won't cause regular users any anguish at all.
>>
>> Jon.
>>
>>
>
> I think the main question here is should archive try to retain the
> SELinux context. From what I've heard from people here, initially the
> idea was to try to preserve the context and if that failed fall back to
> labeling based on the parent. That doesn't seem to be what cp is trying
> to do. If we removed the retain the context part from the archive switch
> of cp you would get labeling based on the parent but then you would be
> required to explicitly specify preserve the context when you wanted to
> archive that as well.
>
> It doesn't seem like anyone is actually depending on the associate
> permission so it might be worth someone looking into removing it if no
> one is really using it. It has its applications but I don't believe Red
> Hat is using it at this time.
>
> Dave
>

That is fine with me but I would like to get the opinion of upstream
coreutils.

Jim what do you think?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjsxvwACgkQrlYvE4MpobN3ugCeKH/NjySwoZBcLgGpek+ZDLDq
Zj8An1Qg6H/gH+IjmDNEdy6emhzjpWkO
=WQA3
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Daniel J Walsh <dwalsh@redhat.com> wrote:
> David P. Quigley wrote:
...
>> I think the main question here is should archive try to retain the
>> SELinux context. From what I've heard from people here, initially the
>> idea was to try to preserve the context and if that failed fall back to
>> labeling based on the parent. That doesn't seem to be what cp is trying
>> to do. If we removed the retain the context part from the archive switch
>> of cp you would get labeling based on the parent but then you would be
>> required to explicitly specify preserve the context when you wanted to
>> archive that as well.
>>
>> It doesn't seem like anyone is actually depending on the associate
>> permission so it might be worth someone looking into removing it if no
>> one is really using it. It has its applications but I don't believe Red
>> Hat is using it at this time.
>>
>> Dave
>
> That is fine with me but I would like to get the opinion of upstream
> coreutils.
>
> Jim what do you think?

Hi Dan,

Since I merged SELinux support into upstream coreutils,
(for coreutils-6.9.91, released 2007-12-15; latest is coreutils-7.0,
http://article.gmane.org/gmane.comp.gnu.core-utils.announce/47 )
its cp -a has *not* attempted to preserve SELinux context.
There was some debate about changing that, since cp -a has
always been equivalent to "cp -dpR", and some were reluctant
to change that.

To get SELinux-context-preserving behavior, you currently have two options:

use --preserve=context to require that cp preserve each
file's context. Failure to do so makes cp end up exiting nonzero.

use --preserve=all to make cp _attempt_ to preserve context.
Failure gets a diagnostic, but does not evoke nonzero exit status.

Just yesterday, OndÅ™ej VaÅ¡Ã*k proposed a patch to change cp -a
from being equivalent to "cp -dpR" to being equivalent to
"cp -dR --preserve=all", which would be in line with this year-old
description from NEWS:

* "cp -a" works with SELinux:
Now, cp -a attempts to preserve context, but failure to do so does
not change cp's exit status. However "cp --preserve=context" is
similar, but failure *does* cause cp to exit with nonzero status.

I'll have to run some tests before deciding on this,
to see if such a change would result in many new diagnostics
about failure to preserve context.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-10-07 at 14:23 -0400, David P. Quigley wrote:

> I think the main question here is should archive try to retain the
> SELinux context. From what I've heard from people here, initially the
> idea was to try to preserve the context and if that failed fall back to
> labeling based on the parent.

The context is a permission, it's like saying "when using -a try and
preserve the chmod/ownership/acl value, but if that fails just make a
new one up ... what could possibly go wrong!?".

> That doesn't seem to be what cp is trying
> to do. If we removed the retain the context part from the archive switch
> of cp you would get labeling based on the parent but then you would be
> required to explicitly specify preserve the context when you wanted to
> archive that as well.

We differ from upstream by adding the -c behaviour to -a ... but unless
we want to turn SELinux off that's the right thing to do, IMO.
The fact that this is another case of "SeLinux telling you in a really
weird way, that what you asked for is wrong" is annoying, but that
doesn't mean we should change what people asked for.

> It doesn't seem like anyone is actually depending on the associate
> permission so it might be worth someone looking into removing it if no
> one is really using it. It has its applications but I don't believe Red
> Hat is using it at this time.

-ENOPARSE

--
James Antill <james@fedoraproject.org>
Fedora

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-10-07 at 22:34 +0200, Christian Iseli wrote:
> On Tue, 07 Oct 2008 10:55:07 -0700, Jesse Keating wrote:
> > Somebody else jumped on the thread and steered the conversation
> > toward a virtualbox problem, which somewhat related to Jon's issue,
> > it's not the same issue.
>
> Right, mea culpa and sorry about that. I thought my problem had the
> same root as the OP's problem, but it now appears I was wrong...



I occasionally bring up the SELinux issue because I'm trying to ask
"what would a regular computer user think?", not whether I can solve the
problem for myself with setting contexts or disabling the protection.

And last night, I had a wonderful SELinux experience again, this time
using Samba shares. None of the guests running within KVM were able to
talk to Samba, so I wasted time pondering networking problems, etc.
before I realized I rebooted since I setup the Samba shares. In the end,
the usual process of mumbling sweet words about SELinux and turning it
off was the response...and I remain convinced therefore that it is
entirely appropriate to subject regular desktop users to SELinux.

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Mon, 2008-10-13 at 09:33 -0400, Jon Masters wrote:
> I occasionally bring up the SELinux issue because I'm trying to ask
> "what would a regular computer user think?", not whether I can solve the
> problem for myself with setting contexts or disabling the protection.
>
> And last night, I had a wonderful SELinux experience again, this time
> using Samba shares. None of the guests running within KVM were able to
> talk to Samba, so I wasted time pondering networking problems, etc.
> before I realized I rebooted since I setup the Samba shares. In the end,
> the usual process of mumbling sweet words about SELinux and turning it
> off was the response...and I remain convinced therefore that it is
> entirely appropriate to subject regular desktop users to SELinux.

Sorry, should that be s/appropriate/inappropriate/? Just trying to
understand what you're saying.

Jonathan
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Jon Masters wrote:
> On Tue, 2008-10-07 at 22:34 +0200, Christian Iseli wrote:
>> On Tue, 07 Oct 2008 10:55:07 -0700, Jesse Keating wrote:
>>> Somebody else jumped on the thread and steered the conversation
>>> toward a virtualbox problem, which somewhat related to Jon's issue,
>>> it's not the same issue.
>> Right, mea culpa and sorry about that. I thought my problem had the
>> same root as the OP's problem, but it now appears I was wrong...
>
>
>
> I occasionally bring up the SELinux issue because I'm trying to ask
> "what would a regular computer user think?", not whether I can solve the
> problem for myself with setting contexts or disabling the protection.
>
> And last night, I had a wonderful SELinux experience again, this time
> using Samba shares. None of the guests running within KVM were able to
> talk to Samba, so I wasted time pondering networking problems, etc.
> before I realized I rebooted since I setup the Samba shares. In the end,
> the usual process of mumbling sweet words about SELinux and turning it
> off was the response...and I remain convinced therefore that it is
> entirely appropriate to subject regular desktop users to SELinux.
>
> Jon.
>
>
Not wanting to get into a argument what was the problem you were seeing?
Were your virtual machines on a samba share? And libvirt not able to
start the image because qemu was not allowed to read samba shares?


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list