On Tue, 2010-06-29 at 00:35 +0100, Mr Dash Four wrote:
>>> Is that a necessary thing to do after installing a new
module? My
>>> understanding is that relabelling only corrects the SELinux file
>>> attributes on every file on the system, so why would I need to do the
>>> relabelling when I have just installed a new policy?
>>>
>>> Also, if my assumption is correct then why would I need to have a
>>> running SELinux to do that? It is a great inconvenience and a real pain
>>> for scenarios I described in my previous posts!
>>>
>> Good points. i think you might indeed be able to run restorecon or
>> fixfiles/setfiles in %post, but i am not sure.
>>
>> I would suggest you try it.
>>
>> Otherwise wait a day when the professionals can reply to your query.
>>
>
> restorecon exits immediately if SELinux is disabled, so you cannot use
> it to label a tree on a non-SELinux build host. Dan wanted it that way
> so that he could unconditionally invoke it from scripts and not have it
> do anything if SELinux was disabled.
>
> setfiles however does support labeling even on a non-SELinux host. As
> well as labeling an image that is being built with a "foreign" (i.e.
> different from host) policy on a SELinux host, although you have to run
> it in setfiles_mac_t for that purpose, as the livecd-creator does.
>
Actually, I did execute restorecon on a non-SELinux running image (see
previous posts on this very thread) and it worked pretty damn well!
It works without me doing anything in particular - just executing
restorecon and semodule in the %post section of the kickstart file - no
problem!
rpm -q -f `which restorecon`
grep selinuxfs /proc/filesystems
restorecon checks is_selinux_enabled() and bails if it is not
successful. Just tested it again on F13, and it has been true for a
very long time.
--
Stephen Smalley
National Security Agency