Linux Archive - relabel after policy update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/31/2012 07:34 AM, Vadym Chepkov wrote:
> Hi,
>
> Once n a while I find mislabeled files on the file system. Since I never
> touched them, I assume it is due to the policy change. What is the best
> practice, shall I relabel the system every time selinux-policy-targeted is
> updated?
>
> For example:
>
> # restorecon -vR /usr/ restorecon reset /usr/libexec/sesh context
> system_u:object_r:bin_t:s0->system_u:object_r:shell_exec_t:s0
>
> # restorecon -vR /var restorecon reset /var/lib/rsyslog context
> system_u:object_r:var_lib_t:s0->system_u:object_r:syslogd_var_lib_t:s0
>
> Regards, Vadym
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
You could do that, but I am not sure this is caused by selinux-policy updates.
selinux-policy updated attempts to fix labels after an update on any file
context that changed between the previous policy and the new policy.

Files getting mislabeled is usually either Human Error, or a bug in an
application like an init script that recreates a file or directory but does
not run restorecon itself. Human mistakes could be caused by running an
application directly rather then from an init script. For example if you ran
syslogd directly it would run as unconfined_t and when it could have created
/var/lib/rsyslog with the wrong label.

http://danwalsh.livejournal.com/23944.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAX4zEACgkQrlYvE4MpobPR1ACgqX5fpLn25X FAimOzpd6rXLkM
PR8AnjmkltUc0s62Ecsa/uYYJVEVBwV8
=ajCa
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux