libselinux python binding of restorecon different from restorecon command

Daniel J Walsh dwalsh at redhat.com
Tue Nov 29 14:31:03 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/29/2011 07:14 AM, Paul Howarth wrote:
> I maintain a local RPM package repository and have a "newrepo"
> script that assembles the repository, calls createrepo and repoview
> etc.
> 
> During the script it runs "restorecon" on all of the files in the
> repo to make sure that they have the correct contexts to be
> accessible via http etc.
> 
> A few weeks ago I rewrote the script in python and decided to use
> the libselinux-python binding (this is on F16) for the "restorecon"
> call. Around the same time I noticed that my backups were getting a
> lot bigger but I've only just discovered why. If I use the shell
> command "restorecon -rvF /path/to/dir", and it doesn't need to
> change anything, the ctime of the dirs/files concerned remain
> unchanged. However, if I use the python binding, the ctime is
> updated. So I've backing up the entire repository on each
> incremental backup :-(
> 
> [paul at zion ~]$ ls -l --time=ctime
> /home/paul/cfo-repo/drivers/advansys/ total 11896 -rw-rw-r--. 1
> paul paul  649700 Nov 29 11:54 advansys-driverdisk.zip -rw-rw-r--.
> 1 paul paul 4175872 Nov 29 11:54 advansys-fc2-boot.iso -rw-rw-r--.
> 2 paul paul  108723 Nov 29 11:54 dkms-2.2.0.2-1.noarch.rpm 
> -rw-rw-r--. 2 paul paul  132593 Nov 29 11:54
> dkms-2.2.0.2-1.src.rpm -rw-rw-r--. 1 paul paul   10400 Nov 29 11:54
> HEADER.html -rw-rw-r--. 1 paul paul  287602 Nov 29 11:54
> kernel-advansys-0.9.1-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 228573 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  620915 Nov 29 11:54
> kernel-advansys-0.9.2-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 457045 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  607931 Nov 29 11:54
> kernel-advansys-0.9.3-2dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 461727 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.src.rpm -rw-r--r--.
> 1 paul paul 1234354 Nov 29 11:54
> kernel-advansys-0.9.4-1dkms.noarch.rpm -rw-r--r--. 1 paul paul
> 907444 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.src.rpm -rw-rw-r--.
> 2 paul paul 1286253 Nov 29 11:54
> kernel-advansys-0.9.5-1dkms.noarch.rpm -rw-rw-r--. 2 paul paul
> 981819 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.src.rpm [paul at zion
> ~]$ date; restorecon -rvF /home/paul/cfo-repo/drivers/advansys/;
> date Tue Nov 29 12:02:54 GMT 2011 Tue Nov 29 12:02:54 GMT 2011 
> [paul at zion ~]$ ls -l --time=ctime
> /home/paul/cfo-repo/drivers/advansys/ total 11896 -rw-rw-r--. 1
> paul paul  649700 Nov 29 11:54 advansys-driverdisk.zip -rw-rw-r--.
> 1 paul paul 4175872 Nov 29 11:54 advansys-fc2-boot.iso -rw-rw-r--.
> 2 paul paul  108723 Nov 29 11:54 dkms-2.2.0.2-1.noarch.rpm 
> -rw-rw-r--. 2 paul paul  132593 Nov 29 11:54
> dkms-2.2.0.2-1.src.rpm -rw-rw-r--. 1 paul paul   10400 Nov 29 11:54
> HEADER.html -rw-rw-r--. 1 paul paul  287602 Nov 29 11:54
> kernel-advansys-0.9.1-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 228573 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  620915 Nov 29 11:54
> kernel-advansys-0.9.2-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 457045 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  607931 Nov 29 11:54
> kernel-advansys-0.9.3-2dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 461727 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.src.rpm -rw-r--r--.
> 1 paul paul 1234354 Nov 29 11:54
> kernel-advansys-0.9.4-1dkms.noarch.rpm -rw-r--r--. 1 paul paul
> 907444 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.src.rpm -rw-rw-r--.
> 2 paul paul 1286253 Nov 29 11:54
> kernel-advansys-0.9.5-1dkms.noarch.rpm -rw-rw-r--. 2 paul paul
> 981819 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.src.rpm [paul at zion
> ~]$ date; python -c "from selinux import restorecon;
> restorecon('/home/paul/cfo-repo/drivers/advansys', recursive =
> True)"; date Tue Nov 29 12:03:51 GMT 2011 Tue Nov 29 12:03:52 GMT
> 2011 [paul at zion ~]$ ls -l --time=ctime
> /home/paul/cfo-repo/drivers/advansys/total 11896 -rw-rw-r--. 1 paul
> paul  649700 Nov 29 12:03 advansys-driverdisk.zip -rw-rw-r--. 1
> paul paul 4175872 Nov 29 12:03 advansys-fc2-boot.iso -rw-rw-r--. 2
> paul paul  108723 Nov 29 12:03 dkms-2.2.0.2-1.noarch.rpm 
> -rw-rw-r--. 2 paul paul  132593 Nov 29 12:03
> dkms-2.2.0.2-1.src.rpm -rw-rw-r--. 1 paul paul   10400 Nov 29 12:03
> HEADER.html -rw-rw-r--. 1 paul paul  287602 Nov 29 12:03
> kernel-advansys-0.9.1-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 228573 Nov 29 12:03 kernel-advansys-0.9.1-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  620915 Nov 29 12:03
> kernel-advansys-0.9.2-1dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 457045 Nov 29 12:03 kernel-advansys-0.9.2-1dkms.src.rpm -rw-rw-r--.
> 1 paul paul  607931 Nov 29 12:03
> kernel-advansys-0.9.3-2dkms.noarch.rpm -rw-rw-r--. 1 paul paul
> 461727 Nov 29 12:03 kernel-advansys-0.9.3-2dkms.src.rpm -rw-r--r--.
> 1 paul paul 1234354 Nov 29 12:03
> kernel-advansys-0.9.4-1dkms.noarch.rpm -rw-r--r--. 1 paul paul
> 907444 Nov 29 12:03 kernel-advansys-0.9.4-1dkms.src.rpm -rw-rw-r--.
> 2 paul paul 1286253 Nov 29 12:03
> kernel-advansys-0.9.5-1dkms.noarch.rpm -rw-rw-r--. 2 paul paul
> 981819 Nov 29 12:03 kernel-advansys-0.9.5-1dkms.src.rpm [paul at zion
> ~]$
> 
> Is this expected behaviour? Is there a way I can use the python
> binding but get the same behaviour as the shell command?
> 
> Paul. -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

Paul open a bug,  The current restorecon bindings is real simple.

def restorecon(path, recursive=False):
    """ Restore SELinux context on a given path """

    try:
        mode = os.lstat(path)[stat.ST_MODE]
        status, context = matchpathcon(path, mode)
    except OSError:
        path = os.path.realpath(os.path.expanduser(path))
        mode = os.lstat(path)[stat.ST_MODE]
        status, context = matchpathcon(path, mode)

    if status == 0:
        lsetfilecon(path, context)
        if recursive:
            os.path.walk(path, lambda arg, dirname, fnames:
                             map(restorecon, [os.path.join(dirname, fname)
                                              for fname in fnames]), None)


But it would be fairly simple to add a lgetfilecon(path) and check to
see if they match, if they do, do nothing.  Some of the more advanced
features of restorecon might take a while.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7U7KcACgkQrlYvE4MpobPTIACcD52LGCbmcmAaxA2NygARK3sS
nUMAnjoZUmggkXrv7qsWnFOnD3Q43LGL
=d7pM
-----END PGP SIGNATURE-----

More information about the selinux mailing list