From unknown Fri Sep 05 20:56:14 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#20616 <20616@debbugs.gnu.org> To: bug#20616 <20616@debbugs.gnu.org> Subject: Status: mkdir: -p breaks -Z Reply-To: bug#20616 <20616@debbugs.gnu.org> Date: Sat, 06 Sep 2025 03:56:14 +0000 retitle 20616 mkdir: -p breaks -Z reassign 20616 coreutils submitter 20616 Hannes Reich severity 20616 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Wed May 20 11:29:22 2015 Received: (at submit) by debbugs.gnu.org; 20 May 2015 15:29:22 +0000 Received: from localhost ([127.0.0.1]:51416 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yv5vt-0008L1-9l for submit@debbugs.gnu.org; Wed, 20 May 2015 11:29:21 -0400 Received: from eggs.gnu.org ([208.118.235.92]:33684) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yv2ib-000335-UY for submit@debbugs.gnu.org; Wed, 20 May 2015 08:03:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yv2iR-00025O-1F for submit@debbugs.gnu.org; Wed, 20 May 2015 08:03:20 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44556) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yv2iQ-00025E-VJ for submit@debbugs.gnu.org; Wed, 20 May 2015 08:03:14 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47172) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yv2iQ-0003GB-2O for bug-coreutils@gnu.org; Wed, 20 May 2015 08:03:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Yv2iK-00024V-Bt for bug-coreutils@gnu.org; Wed, 20 May 2015 08:03:13 -0400 Received: from gir.skynet.ie ([193.1.99.77]:54016) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Yv2iK-00024A-5h for bug-coreutils@gnu.org; Wed, 20 May 2015 08:03:08 -0400 Received: from discordia.local (nat-office.mine.com [185.39.48.27]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by gir.skynet.ie (Postfix) with ESMTPSA id AC56512641 for ; Wed, 20 May 2015 13:03:04 +0100 (IST) Message-ID: <555C77F7.3070000@skynet.ie> Date: Wed, 20 May 2015 14:03:03 +0200 From: Hannes Reich User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: bug-coreutils@gnu.org Subject: mkdir: -p breaks -Z Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 20 May 2015 11:29:20 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) The "-Z" (set SELinux context) option to mkdir appears to have no effect when "-p" (no error if existing, create parents) is also specified. For example, on my CentOS 7 system, the correct context for subdirectories of "/home" is "user_home_dir_t", but when I create such a directory with "mkdir -p -Z", it has the "home_root_t" context: # rm -rf /home/with-p # mkdir -p -Z /home/with-p # ls -Zd /home/with-p drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/with-p # That's wrong. Running restorecon(1) fixes it: # restorecon -v /home/with-p restorecon reset /home/with-p context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0 # Without the "-p" option, "-Z" works as expected: # mkdir -Z /home/without-p # ls -Zd /home/without-p drwxr-xr-x. root root unconfined_u:object_r:user_home_dir_t:s0 /home/without-p # restorecon -v /home/without-p # The coreutils version in CentOS 7 is 8.22. coreutils-8.23 compiled from source has the same behaviour. From debbugs-submit-bounces@debbugs.gnu.org Thu May 21 06:10:16 2015 Received: (at 20616) by debbugs.gnu.org; 21 May 2015 10:10:16 +0000 Received: from localhost ([127.0.0.1]:51780 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YvNQd-0008IR-CK for submit@debbugs.gnu.org; Thu, 21 May 2015 06:10:16 -0400 Received: from mail3.vodafone.ie ([213.233.128.45]:40946) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1YvNQZ-0008I8-JN for 20616@debbugs.gnu.org; Thu, 21 May 2015 06:10:12 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgsFAOKtXVVtT1T6/2dsb2JhbABcgxCEUcRzglMCgUVMAQEBAQEBgQuEIwEBBCMECwFWCw0LAgIFFgsCAgkDAgECAUUGAQwIAQGILAGsK4VrnikBK4EhihmFDIJogUUFpgSPFyOCChyBUz2CeAEBAQ Received: from unknown (HELO localhost.localdomain) ([109.79.84.250]) by mail3.vodafone.ie with ESMTP; 21 May 2015 11:10:04 +0100 Message-ID: <555DAEF7.5010706@draigBrady.com> Date: Thu, 21 May 2015 11:09:59 +0100 From: =?UTF-8?B?UMOhZHJhaWcgQnJhZHk=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Hannes Reich , 20616@debbugs.gnu.org Subject: Re: bug#20616: mkdir: -p breaks -Z References: <555C77F7.3070000@skynet.ie> In-Reply-To: <555C77F7.3070000@skynet.ie> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 20616 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On 20/05/15 13:03, Hannes Reich wrote: > The "-Z" (set SELinux context) option to mkdir appears to have no effect > when "-p" (no error if existing, create parents) is also specified. > > For example, on my CentOS 7 system, the correct context for > subdirectories of "/home" is "user_home_dir_t", but when I create such a > directory with "mkdir -p -Z", it has the "home_root_t" context: > > # rm -rf /home/with-p > # mkdir -p -Z /home/with-p > # ls -Zd /home/with-p > drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 /home/with-p > # > > That's wrong. Running restorecon(1) fixes it: > > # restorecon -v /home/with-p > restorecon reset /home/with-p context > unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0 > # > > Without the "-p" option, "-Z" works as expected: > > # mkdir -Z /home/without-p > # ls -Zd /home/without-p > drwxr-xr-x. root root unconfined_u:object_r:user_home_dir_t:s0 > /home/without-p > # restorecon -v /home/without-p > # > > The coreutils version in CentOS 7 is 8.22. > > coreutils-8.23 compiled from source has the same behaviour. I see the issue. I had assumed that defaultcon() for the ancestors was not called if they existed. That can't be done without races, so we must call restorecon for the final component, even if only creating a single dir. Alternatively you could temp disable o->set_security_context around make_dir_parents(), but that would be subject to TOCTOU races. I'll apply something like the following. thanks! Pádraig. diff --git a/src/mkdir.c b/src/mkdir.c index 404a04a..ff51ae1 100644 --- a/src/mkdir.c +++ b/src/mkdir.c @@ -151,23 +151,11 @@ static int process_dir (char *dir, struct savewd *wd, void *options) { struct mkdir_options const *o = options; - bool set_defaultcon = false; /* If possible set context before DIR created. */ if (o->set_security_context) { - if (! o->make_ancestor_function) - set_defaultcon = true; - else - { - char *pdir = dir_name (dir); - struct stat st; - if (STREQ (pdir, ".") - || (stat (pdir, &st) == 0 && S_ISDIR (st.st_mode))) - set_defaultcon = true; - free (pdir); - } - if (set_defaultcon && defaultcon (dir, S_IFDIR) < 0 + if (! o->make_ancestor_function && defaultcon (dir, S_IFDIR) < 0 && ! ignorable_ctx_err (errno)) error (0, errno, _("failed to set default creation context for %s"), quote (dir)); @@ -184,7 +172,8 @@ process_dir (char *dir, struct savewd *wd, void *options) final component of DIR is created. So for now, create the final component with the context from previous component and here we set the context for the final component. */ - if (ret == EXIT_SUCCESS && o->set_security_context && ! set_defaultcon) + if (ret == EXIT_SUCCESS && o->set_security_context + && o->make_ancestor_function) { if (! restorecon (last_component (dir), false, false) && ! ignorable_ctx_err (errno)) From debbugs-submit-bounces@debbugs.gnu.org Fri May 22 21:07:02 2015 Received: (at 20616-done) by debbugs.gnu.org; 23 May 2015 01:07:02 +0000 Received: from localhost ([127.0.0.1]:53327 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yvxtx-0007Ks-NX for submit@debbugs.gnu.org; Fri, 22 May 2015 21:07:01 -0400 Received: from mail2.vodafone.ie ([213.233.128.44]:30596) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Yvxtr-0007KM-W8 for 20616-done@debbugs.gnu.org; Fri, 22 May 2015 21:06:56 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjETAHbRX1VtTHCI/2dsb2JhbABcgxAfNV4BgTuBY4oVt0+FdAECAoEtTAEBAQEBAYELQQEEg10BAQQjDwFWCw0NAgUWCwICCQMCAQIBRQYBDAgBAYgsAQivUIVrnlCBIYoZhQyCaIFFBZc3jmOPGiODeT0yAYJFAQEB Received: from unknown (HELO localhost.localdomain) ([109.76.112.136]) by mail2.vodafone.ie with ESMTP; 23 May 2015 02:06:44 +0100 Message-ID: <555FD2A4.6020601@draigBrady.com> Date: Sat, 23 May 2015 02:06:44 +0100 From: =?UTF-8?B?UMOhZHJhaWcgQnJhZHk=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Hannes Reich , 20616-done@debbugs.gnu.org Subject: Re: bug#20616: mkdir: -p breaks -Z References: <555C77F7.3070000@skynet.ie> <555DAEF7.5010706@draigBrady.com> In-Reply-To: <555DAEF7.5010706@draigBrady.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 20616-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) Fix pushed at: http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=4ce7488 cheers, Pádraig. From unknown Fri Sep 05 20:56:14 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 20 Jun 2015 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator