Re: copying selinux context

[Bruno Haible]

Hello Paolo,

> >> it must recreate the file (*) and then copy it 
> >> to the old file name.  In doing so it must copy the security context 
> >> just like it copies UIDs, GIDs, modes and ACLs.
> > 
> > So this means:
> > 
> >   1) The existing module 'copy-file' (used e.g. by gettext when creating
> >      backup files) should be updated to copy also the selinux context of
> >      the file. Anyone knows how to do that?
> 
> http://git.savannah.gnu.org/gitweb/?p=sed.git;a=commitdiff;h=fa01dd7 
> should teach you, it's easier than I expected.

About the return value of getfilecon: Why do you ignore only the ENOSYS error
and not also ENOTSUP and ENODATA? The manual page says:

       If the context does not exist, or the process has  no  access  to  this
       attribute, errno is set to ENODATA.

       If extended attributes are not supported by the filesystem, or are dis-
       abled, errno is set to ENOTSUP.

> >   2) We should also have a module that creates a new, empty file with the
> >      security context (uid, gid, mode, ACL and selinux context) of a given
> >      file.
> 
> I don't think so, because most of the time you want restrictive 
> permissions until the file is complete.

Why? Is a portion of a file more sensitive than the entire file's contents?

I cannot really work on these topics of gnulib, because I don't understand
how SELinux is meant to be used. Some SELinux expert needs to step up.

Bruno