From 6fab28dce4785a86ea3f6616ecf6036c43337edd Mon Sep 17 00:00:00 2001 From: Chengwei Yang Date: Fri, 17 Jan 2014 15:46:43 +0000 Subject: doc: clarify SMACK related --help and documentation * src/ls.c: Remove all mention of SELinux since ls should treat all security context labels equally. * doc/coreutils.texi (ls invocation): Likewise. (id invocation): Clarify that -Z outputs the context inherited by the process, rather than one specific to a user. Note for SMACK this can be set instead by the SMACK64EXEC label, in the unusual case where this is set on the id executable. * src/id.c (usage): Likewise. * src/mkdir.c (usage): Clarify that -Z is specific to SELinux, while --context=CTX is also supported for SMACK. * src/mkfifo.c (usage): Likewise. * src/mknod.c (usage): Likewise. --- doc/coreutils.texi | 10 ++++++---- src/id.c | 2 +- src/ls.c | 18 +++++++++--------- src/mkdir.c | 3 ++- src/mkfifo.c | 3 ++- src/mknod.c | 3 ++- 6 files changed, 22 insertions(+), 17 deletions(-) diff --git a/doc/coreutils.texi b/doc/coreutils.texi index 9a19cfa62..35e7bd9fd 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -7268,7 +7268,7 @@ space, there is no alternate access method. When it is a printing character, then there is such a method. GNU @command{ls} uses a @samp{.} character to indicate a file -with an SELinux security context, but no other alternate access method. +with a security context, but no other alternate access method. A file with any other combination of alternate access methods is marked with a @samp{+} character. @@ -8466,7 +8466,8 @@ to the system default type for destination files, similarly to the @command{restorecon} command. The long form of this option with a specific context specified, will set the context for newly created files only. -With a specified context, if SELinux is disabled, a warning is issued. +With a specified context, if both SELinux and SMACK are disabled, a warning is +issued. @end macro @optContext This option is mutually exclusive with the @option{--preserve=context} @@ -14563,8 +14564,9 @@ Print only the user ID. @opindex --context @cindex SELinux @cindex security context -Print only the security context of the current user. -If SELinux is disabled then print a warning and +Print only the security context of the process, which is generally +the user's security context inherited from the parent process. +If neither SELinux or SMACK is enabled then print a warning and set the exit status to 1. @item -z diff --git a/src/id.c b/src/id.c index 803c360c4..3348f8013 100644 --- a/src/id.c +++ b/src/id.c @@ -89,7 +89,7 @@ or (when USER omitted) for the current user.\n\ stdout); fputs (_("\ -a ignore, for compatibility with other versions\n\ - -Z, --context print only the security context of the current user\n\ + -Z, --context print only the security context of the process\n\ -g, --group print only the effective group ID\n\ -G, --groups print all group IDs\n\ -n, --name print a name instead of a number, for -ugG\n\ diff --git a/src/ls.c b/src/ls.c index 30356aca4..5d87dd332 100644 --- a/src/ls.c +++ b/src/ls.c @@ -186,7 +186,7 @@ verify (sizeof filetype_letter - 1 == arg_directory + 1); enum acl_type { ACL_T_NONE, - ACL_T_SELINUX_ONLY, + ACL_T_LSM_CONTEXT_ONLY, ACL_T_YES }; @@ -206,7 +206,7 @@ struct fileinfo zero. */ mode_t linkmode; - /* SELinux security context. */ + /* security context. */ security_context_t scontext; bool stat_ok; @@ -216,7 +216,7 @@ struct fileinfo bool linkok; /* For long listings, true if the file has an access control list, - or an SELinux security context. */ + or a security context. */ enum acl_type acl_type; /* For color listings, true if a regular file has capability info. */ @@ -2804,8 +2804,8 @@ errno_unsupported (int err) } /* Cache *getfilecon failure, when it's trivial to do so. - Like getfilecon/lgetfilecon, but when F's st_dev says it's on a known- - SELinux-challenged file system, fail with ENOTSUP immediately. */ + Like getfilecon/lgetfilecon, but when F's st_dev says it's doesn't + support getting the security context, fail with ENOTSUP immediately. */ static int getfilecon_cache (char const *file, struct fileinfo *f, bool deref) { @@ -3052,7 +3052,7 @@ gobble_file (char const *name, enum filetype type, ino_t inode, f->acl_type = (!have_scontext && !have_acl ? ACL_T_NONE : (have_scontext && !have_acl - ? ACL_T_SELINUX_ONLY + ? ACL_T_LSM_CONTEXT_ONLY : ACL_T_YES)); any_has_acl |= f->acl_type != ACL_T_NONE; @@ -3799,7 +3799,7 @@ print_long_format (const struct fileinfo *f) struct tm *when_local; /* Compute the mode string, except remove the trailing space if no - file in this directory has an ACL or SELinux security context. */ + file in this directory has an ACL or security context. */ if (f->stat_ok) filemodestring (&f->stat, modebuf); else @@ -3810,7 +3810,7 @@ print_long_format (const struct fileinfo *f) } if (! any_has_acl) modebuf[10] = '\0'; - else if (f->acl_type == ACL_T_SELINUX_ONLY) + else if (f->acl_type == ACL_T_LSM_CONTEXT_ONLY) modebuf[10] = '.'; else if (f->acl_type == ACL_T_YES) modebuf[10] = '+'; @@ -4886,7 +4886,7 @@ Sort entries alphabetically if none of -cftuvSUX nor --sort is specified.\n\ -w, --width=COLS assume screen width instead of current value\n\ -x list entries by lines instead of by columns\n\ -X sort alphabetically by entry extension\n\ - -Z, --context print any SELinux security context of each file\n\ + -Z, --context print any security context of each file\n\ -1 list one file per line\n\ "), stdout); fputs (HELP_OPTION_DESCRIPTION, stdout); diff --git a/src/mkdir.c b/src/mkdir.c index c904d4f27..a6f6c24a6 100644 --- a/src/mkdir.c +++ b/src/mkdir.c @@ -67,7 +67,8 @@ Create the DIRECTORY(ies), if they do not already exist.\n\ -p, --parents no error if existing, make parent directories as needed\n\ -v, --verbose print a message for each created directory\n\ -Z, --context[=CTX] set the SELinux security context of each created\n\ - directory to default type or to CTX if specified\n\ + directory to default type or set the SELinux or\n\ + SMACK security context to CTX if specified\n\ "), stdout); fputs (HELP_OPTION_DESCRIPTION, stdout); fputs (VERSION_OPTION_DESCRIPTION, stdout); diff --git a/src/mkfifo.c b/src/mkfifo.c index f9c6af611..cf970593b 100644 --- a/src/mkfifo.c +++ b/src/mkfifo.c @@ -62,7 +62,8 @@ Create named pipes (FIFOs) with the given NAMEs.\n\ "), stdout); fputs (_("\ -Z, --context[=CTX] set the SELinux security context of each NAME to\n\ - default type, or CTX if specified\n\ + default type, or set the SELinux or SMACK\n\ + security context to CTX if specified\n\ "), stdout); fputs (HELP_OPTION_DESCRIPTION, stdout); fputs (VERSION_OPTION_DESCRIPTION, stdout); diff --git a/src/mknod.c b/src/mknod.c index c6ea1ea19..dfb9ef4fc 100644 --- a/src/mknod.c +++ b/src/mknod.c @@ -64,7 +64,8 @@ Create the special file NAME of the given TYPE.\n\ "), stdout); fputs (_("\ -Z, --context[=CTX] set the SELinux security context of NAME to\n\ - default type, or to CTX if specified\n\ + default type, or set the SELinux or SMACK\n\ + security context to CTX if specified\n\ "), stdout); fputs (HELP_OPTION_DESCRIPTION, stdout); fputs (VERSION_OPTION_DESCRIPTION, stdout); -- cgit v1.2.3-54-g00ecf