Re: copying selinux context

[Paolo Bonzini]

> About the return value of getfilecon: Why do you ignore only the ENOSYS error
> and not also ENOTSUP and ENODATA?

I was copying what cp does.

>        If the context does not exist, or the process has  no  access  to  this
>        attribute, errno is set to ENODATA.
>
>        If extended attributes are not supported by the filesystem, or are dis-
>        abled, errno is set to ENOTSUP.

For ENOTSUP, I think you're right (though in practice SELinux will be 
disabled in this case, so getfilecon will not be called; even NFS is a 
supported filesystem).

For ENODATA, SELinux in permissive mode will never return it while in 
enforcing mode it is correct to treat it as an error.  (In permissive 
mode security violations are reported to the user, but only as warnings).

I can try tomorrow
> > >   2) We should also have a module that creates a new, empty file with the
> > >      security context (uid, gid, mode, ACL and selinux context) of a given
> > >      file.
> > I don't think so, because most of the time you want restrictive 
> > permissions until the file is complete.
>
> Why? Is a portion of a file more sensitive than the entire file's contents?

Yes, for example "rm -rf /" is more sensitive than "rm -rf /tmp/blah".

Paolo