restorecon doesn't rely on having policy sources (selinux-policy-targeted-sources) installed. It uses the installed file_contexts configuration created by the policy (selinux-policy-targeted) package. That lives under /etc/selinux/targeted/contexts/files.
Aha, I think the O'Reilly book is just out of date. Not surprising considering the moving target that is SELinux.
SELinux utilities don't rely on having the policy sources available, as you likely don't want them on production systems. make relabel is really only for developers, and hardly used at all anymore (it predates having fixfiles and restorecon).
Actually I am developing here. My problem is that I have a huge chroot directory (basically a full duplicate of the whole system) and I want to get everything in there labeled as if it was outside chroot. To do this I duplicated file_contexts/types.fc and used sed to prepend the chroot directory to every line. It seems to work pretty well, but I'm still having trouble getting the user home directories inside chroot labeled properly. The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot filesystem. And any ideas on how to get those chrooted homedirs labeled correctly.
Stephen Brueckner, ATC-NY
On Mon, 2005-06-27 at 13:35 -0400, Steve Brueckner wrote:
Actually I am developing here. My problem is that I have a huge chroot directory (basically a full duplicate of the whole system) and I want to get everything in there labeled as if it was outside chroot. To do this I duplicated file_contexts/types.fc and used sed to prepend the chroot directory to every line. It seems to work pretty well, but I'm still having trouble getting the user home directories inside chroot labeled properly. The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot filesystem. And any ideas on how to get those chrooted homedirs labeled correctly.
If you want to apply the same contexts, you can use setfiles -r. But note that there can be an advantage to using separate types on the chroot'd environment, and then not allowing any access by that process' domain to the base types used on the real filesystem.
Any chance you can update to FC4?
On Mon, 2005-06-27 at 13:35 -0400, Steve Brueckner wrote:
Aha, I think the O'Reilly book is just out of date. Not surprising considering the moving target that is SELinux.
Unfortunately it was somewhat out of date when it was published. It is based on FC2, which has a different architecture than FC3/FC4.
For FC3, the Red Hat SELinux Guide[1] is a fairly good reference choice. Note that it matches FC3 as released, not with updates, so there is a difference for FC3 current.
There is going to be another correlation between FC releases and the RHEL documentation on SELinux, whenever that occurs. :)
- Karsten
[1] http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
selinux@lists.fedoraproject.org