ls: use '.' (not +) as SELinux-only alt. access flag in ls -l output

* src/ls.c (gobble_file) [long_format]: Map SELinux-only to '.',
any other nonempty combination of MAC and ACL to '+', and all else
to the usual ' '.  Suggested by Michael Stone.
* tests/misc/selinux: Adapt: expect '.', not '+'.
* doc/coreutils.texi (What information is listed): Document this.
* NEWS (Changes in behavior): Mention it.

diff --git a/NEWS b/NEWS
index ab7d5bdbeb777316f750f01591e302732a01110e..357efc242048fb3b130e3b8786a5d8621ce421e2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,12 @@ GNU coreutils NEWS                                    -*- outline -*-
 
   stat -f recognizes the Lustre file system type
 
+** Changes in behavior
+
+  ls -l now marks SELinux-only files with the less obtrusive '.',
+  rather than '+'.  A file with any other combination of MAC and ACL
+  is still marked with a '+'.
+
 
 * Noteworthy changes in release 7.0 (2008-10-05) [beta]
 

diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index 64598705d8ecb567174877422a0735b833b8d35e..cbef0139bf87d66698f01307f86110a3d972c32d 100644 (file)
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -6474,9 +6474,11 @@ applies to the file.  When the character following the file mode bits is a
 space, there is no alternate access method.  When it is a printing
 character, then there is such a method.
 
-For a file with an extended access control list, a @samp{+} character is
-listed.  Basic access control lists are equivalent to the permissions
-listed, and are not considered an alternate access method.
+GNU @command{ls} uses a @samp{.} character to indicate a file
+with an SELinux security context, but no other alternate access method.
+
+A file with any other combination of alternate access methods
+is marked with a @samp{+} character.
 
 @item -n
 @itemx --numeric-uid-gid

diff --git a/src/ls.c b/src/ls.c
index e38a5fee54f4b91cee755aefc5372a470083c658..590af7f05b3125eb008fcd312623961f0e9f56bc 100644 (file)
--- a/src/ls.c
+++ b/src/ls.c
@@ -154,6 +154,12 @@ verify (sizeof filetype_letter - 1 == arg_directory + 1);
     C_LINK, C_SOCK, C_FILE, C_DIR                      \
   }
 
+enum acl_type
+  {
+    ACL_T_NONE,
+    ACL_T_SELINUX_ONLY,
+    ACL_T_YES
+  };
 
 struct fileinfo
   {
@@ -182,7 +188,7 @@ struct fileinfo
 
     /* For long listings, true if the file has an access control list,
        or an SELinux security context.  */
-    bool have_acl;
+    enum acl_type acl_type;
   };
 
 #define LEN_STR_PAIR(s) sizeof (s) - 1, s
@@ -2689,6 +2695,7 @@ gobble_file (char const *name, enum filetype type, ino_t inode,
 
       if (format == long_format || print_scontext)
        {
+         bool have_selinux = false;
          bool have_acl = false;
          int attr_len = (do_deref
                          ?  getfilecon (absolute_name, &f->scontext)
@@ -2707,7 +2714,7 @@ gobble_file (char const *name, enum filetype type, ino_t inode,
            }
 
          if (err == 0)
-           have_acl = ! STREQ ("unlabeled", f->scontext);
+           have_selinux = ! STREQ ("unlabeled", f->scontext);
          else
            {
              f->scontext = UNKNOWN_SECURITY_CONTEXT;
@@ -2720,15 +2727,19 @@ gobble_file (char const *name, enum filetype type, ino_t inode,
                err = 0;
            }
 
-         if (err == 0 && ! have_acl && format == long_format)
+         if (err == 0 && format == long_format)
            {
              int n = file_has_acl (absolute_name, &f->stat);
              err = (n < 0);
              have_acl = (0 < n);
            }
 
-         f->have_acl = have_acl;
-         any_has_acl |= have_acl;
+         f->acl_type = (!have_selinux && !have_acl
+                        ? ACL_T_NONE
+                        : (have_selinux && !have_acl
+                           ? ACL_T_SELINUX_ONLY
+                           : ACL_T_YES));
+         any_has_acl |= f->acl_type != ACL_T_NONE;
 
          if (err)
            error (0, errno, "%s", quotearg_colon (absolute_name));
@@ -3449,7 +3460,9 @@ print_long_format (const struct fileinfo *f)
     }
   if (! any_has_acl)
     modebuf[10] = '\0';
-  else if (f->have_acl)
+  else if (f->acl_type == ACL_T_SELINUX_ONLY)
+    modebuf[10] = '.';
+  else if (f->acl_type == ACL_T_YES)
     modebuf[10] = '+';
 
   switch (time_type)

diff --git a/tests/misc/selinux b/tests/misc/selinux
index a231fa78f64fae0bd42d7282fb6b6ab488dfe423..8211c80f7179c3d675744903e3c0b73695f19af5 100755 (executable)
--- a/tests/misc/selinux
+++ b/tests/misc/selinux
@@ -34,8 +34,8 @@ for i in d f p; do
   c=`stat --printf %C $i`; test x$c = x$ctx || fail=1
 done
 
-# ensure that ls -l output includes the "+".
-c=`ls -l f|cut -c11`; test "$c" = + || fail=1
+# ensure that ls -l output includes the ".".
+c=`ls -l f|cut -c11`; test "$c" = . || fail=1
 
 # Copy each to a new directory and ensure that context is preserved.
 cp -r --preserve=all d f p s1 || fail=1