On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote: > Greetings; > > I got bit pretty hard last night after installing 2.6.24-rc2, and it took > about an hour to relabel the whole system. > > That was ok, and the logs are quieter now, but when it came time to run > amanda, the relabel had apparently changed the ctime of everything on the > system, so amanda tried to do all incrementals at level 0, and failed of > course because the vtape was only 1/4 the size of the system. > > That flushed, and a couple more runs and it will be back to normal, but it > seems to me that there should be an option to preserve ctimes when > relabeling. > > Is that even possible? Not if it actually set the label (extended attribute of the inode) - that always updates the ctime. The question though is why did a relabel occur in the first place, and why were all the labels set? Normally, restorecon / setfiles only sets a file label if it does not match the file contexts configuration, although if run with -F, it will unconditionally set it. ls -lc /path/to/somefile restorecon -v /path/to/somefile ls -lc /path/to/somefile should show no change in ctime if the file was already correctly labeled. However, restorecon -Fv ./foo would force setting of the label, and thus update the ctime. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
