This is more of a curiosity question, and I haven't found any answer yet.
If I receive an AVC and sealert tells me to
chcon -R -t something_log_t './logs' with a subsequent semanage
then it goes into file_context.local exactly how I entered it.
Cool, I would expect that. But it got me thinking about setfiles/restorecon, and what if I
have another directory named logs that requires relabelling?
For example, let's say that today I find incorrect labelling on /somedir/logs and so I
fix it with chcon/semanage.
Then next year, I add a new application and it has /anotherdir/logs that is incorrectly
labelled. SELinux is going to complain about ./logs again, so I may just cd into
/anotherdir and do my chcon/semanage with another_log_t label to this ./logs.
That would change the old label, I would think (unless I'm relabelling to the same
label), and so now restorecon ./logs will apply the new label to whichever directory I
would have to fix.
Also, say I actually think about that beforehand and decide to use a full path in my
restorecon command -- restorecon -v /somedir/logs -- will it be smart enough to know which
logs entry in file_context.local I mean, or do I have to remember that I used a relative
path when I created the entry and use that in the restorecon command?
So I guess ultimately the question is, wouldn't it be better for semanage to require
This message and any attachment(s) are intended only for the use of the person or entity
to which it is addressed and may contain confidential and/or proprietary information. Any
review, retransmission, dissemination, or other use of, or taking of any action in
reliance upon, this message and any attachment(s) by persons or entities other than the
intended recipient is prohibited. If you are not the intended recipient of this message,
or if this message has been addressed to you in error, please immediately alert the sender
by reply e-mail and delete this message, including any attachments. Sender accepts no
liability for any damages caused by any virus transmitted by this e-mail.