On Wed, 2006-02-15 at 10:09 -0500, Stephen Smalley wrote: > On Wed, 2006-02-15 at 09:50 -0500, Chuck Anderson wrote: > > Restores from backup. Until our backup utility supports extended > > attributes, we will have to use restorecon so at least the default > > labels are set up properly. > > In the file restoration case, you are re-creating files under /home, so > they won't be hard links to system files, and presumably the user isn't > allowed to login while you are restoring his home directory, so he can't > create any links during that process. > > > Also, assuming we do backup extended attributes, will this problem > > still exist when restoring them from backup? > > You won't have to run restorecon in that case, and the restore utility > presumably would just set the attributes as it creates each file, so > likely not. But remember that targeted policy doesn't confine users, > only specific programs/daemons, so if you are using it, you aren't > relying on SELinux to counter malicious users at all, so this is no > different. By the way, /etc/profile.d/selinux.* already runs restorecon by default when the user logs in on certain user files and directories to ensure that they are labeled properly. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
