I had an experience yesterday which has given me pause for thought. I was working with Dan Walsh to get the policy correct to run the X after the xorg-x11-* update which renamed a lot of things including /usr/X11R6/bin/XFree86 -> /usr/X11R6/bin/Xorg. After installing the updated packages (which should be in development/rawhide later today), he informed me I needed to run the following: restorecon /usr/bin/X11/Xorg restorecon /var/log/Xorg* and I dutifully did that. Then I tried to do "telinit 5" with enforcing=1 again and, again, the X server startup failed. After some looking around I came to realize the following: The path specified makes a difference. The full path specified in policy is /usr/X11R6/bin/Xorg where I was using /usr/bin/X11/Xorg. The result of restorecon /usr/bin/X11/Xorg is -rws--x--x+ root root system_u:object_r:bin_t \ /usr/bin/X11/Xorg whereas the result of running restorecon /usr/X11R6/Xorg is -rws--x--x+ root root system_u:object_r:xserver_exec_t /usr/bin/X11/Xorg OK, besides sending this message to give folks some warning when they install the new xor-x11-* and the new policy (1.11.2-3 or later) is that I do not complete understand what is done when I do a system wide relabel. What make -C /etc/security/selinux/src/policy/ relabel appears to do is to go through the all mounted filesystems and set the attributes depending on the rules it has. The question is, does it follow symbolic links or not. If it does not, then there should not be a problem as long as all of the policy rules always use the actual (non-symbolic-link) path AND make sure we do also if we do something manually. However, I can see a problem occurring if it does follow symbolic links because the process likely occurs in sorted order. Now /tmp is clears (or so it says and, I hope, that means /var/tmp/ also), so I should not be able to rename /usr/X11R6/bin/Xorg. However, what if I had a symbolic link from my home directory to something in /etc. Would that get mislabeled? Gene