Hi,
Once n a while I find mislabeled files on the file system. Since I never touched them, I assume it is due to the policy change. What is the best practice, shall I relabel the system every time selinux-policy-targeted is updated?
For example:
# restorecon -vR /usr/ restorecon reset /usr/libexec/sesh context system_u:object_r:bin_t:s0->system_u:object_r:shell_exec_t:s0
# restorecon -vR /var restorecon reset /var/lib/rsyslog context system_u:object_r:var_lib_t:s0->system_u:object_r:syslogd_var_lib_t:s0
Regards, Vadym
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/31/2012 07:34 AM, Vadym Chepkov wrote:
Hi,
Once n a while I find mislabeled files on the file system. Since I never touched them, I assume it is due to the policy change. What is the best practice, shall I relabel the system every time selinux-policy-targeted is updated?
For example:
# restorecon -vR /usr/ restorecon reset /usr/libexec/sesh context system_u:object_r:bin_t:s0->system_u:object_r:shell_exec_t:s0
# restorecon -vR /var restorecon reset /var/lib/rsyslog context system_u:object_r:var_lib_t:s0->system_u:object_r:syslogd_var_lib_t:s0
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You could do that, but I am not sure this is caused by selinux-policy updates. selinux-policy updated attempts to fix labels after an update on any file context that changed between the previous policy and the new policy.
Files getting mislabeled is usually either Human Error, or a bug in an application like an init script that recreates a file or directory but does not run restorecon itself. Human mistakes could be caused by running an application directly rather then from an init script. For example if you ran syslogd directly it would run as unconfined_t and when it could have created /var/lib/rsyslog with the wrong label.
http://danwalsh.livejournal.com/23944.html
selinux@lists.fedoraproject.org