On Fri, Apr 30, 2010 at 3:38 PM, Xavier Toth <txtoth(a)gmail.com&gt; wrote: > I'm going to simplify this because a lot of the detail isn't import to > the issue I'm working through. I'm taring some files, one of which > happens to be labeled SystemHigh and the rest SystemLow. An init > script, running SystemLow-SystemHigh, is later run on a different > system which untars the file. tar generates a warning message about > setfilecon failing for the file labeled SystemHigh and I see a > SELINUX_ERR message in the audit log (security_validate_transition: > denied for oldcontext=system_u:object_r:selinux_config_t:s0 > newcontext=system_u:object_r:selinux_config_t:s15:c0-c1023 > taskcontext=system_u:system_r:initrc_t=s0-s15:c0.c1023 tclass=file). I > am using run_init to run test this init script. What I'm confused > about is that there are no AVCs (I did an semnodule -DB just to see if > there were any dontaudits) and why there even is a failure as initrc_t > uses the mls_file_write_all_levels marco. Also does anyone know of a > way to see the contexts stored in the tar file? > > Ted > I see now, initrc_t policy doesn't use mls_file_upgrade but I still don't like the no AVC bit.