It seems that restorecon needs to be handled in the targeted policy in the same way as udev. I've just been working on setting up kickstart installs for FC4T1 machines with strict policy. I use lokkit in the kickstart %post to convert it to strict policy before the first boot. When it boots up the rc.sysinit calls to restorecon fail if unlimitedRC is not defined (IE a more strict than default config of the strict policy). We probably don't need to actually define types for this, just adding appropriate typealias rules should do as long as the .fc file is there. The same applies to fsadm and mount. It will also apply to anything else that can be run before all file systems are mounted. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
