These are VERY nice changes, automating what I've been doing manually.
An observation: the package 'install' process has gotten much better with file
contexts.
Any thoughts on automating the assignment of file contexts to the files created by package scripts (e.g., /boot/grub/grub.conf, depmod files, /etc/selinux/config, ...)? Would be nice to have a 'SELinux package description' that describes the package's desired/default contexts. That would allow inspection prior to install, tools to check consistency with installed file_contexts, etc. 'rpm -q --filecontext' is almost it. Any way to add the other stuff to it, or something like it?
tom
[Sorry if this is old hat....]
Dan Walsh wrote:
Setfiles and restorecon have a new qualifier (-o filename) which will record the file paths of any files that the tools find with the incorrect security context. So if you run setfiles -n -v -o /tmp/badfilecontexts, you would have a report and a file with all the paths of files with bad file contexts. If everything looks ok, you could run restorecon -f /tmp/badfilecontexts and clean them up quickly.
