On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote:
Greetings;
I got bit pretty hard last night after installing 2.6.24-rc2, and it took
about an hour to relabel the whole system.
That was ok, and the logs are quieter now, but when it came time to run
amanda, the relabel had apparently changed the ctime of everything on the
system, so amanda tried to do all incrementals at level 0, and failed of
course because the vtape was only 1/4 the size of the system.
That flushed, and a couple more runs and it will be back to normal, but it
seems to me that there should be an option to preserve ctimes when
relabeling.
Is that even possible?
Not if it actually set the label (extended attribute of the inode) -
that always updates the ctime.
The question though is why did a relabel occur in the first place, and
why were all the labels set? Normally, restorecon / setfiles only sets
a file label if it does not match the file contexts configuration,
although if run with -F, it will unconditionally set it.
ls -lc /path/to/somefile
restorecon -v /path/to/somefile
ls -lc /path/to/somefile
should show no change in ctime if the file was already correctly
labeled.
However, restorecon -Fv ./foo would force setting of the label, and thus
update the ctime.
--
Stephen Smalley
National Security Agency