>>> Is that a necessary thing to do after installing a new module? My >>> understanding is that relabelling only corrects the SELinux file >>> attributes on every file on the system, so why would I need to do the >>> relabelling when I have just installed a new policy? >>> >>> Also, if my assumption is correct then why would I need to have a >>> running SELinux to do that? It is a great inconvenience and a real pain >>> for scenarios I described in my previous posts! >>> >> Good points. i think you might indeed be able to run restorecon or >> fixfiles/setfiles in %post, but i am not sure. >> >> I would suggest you try it. >> >> Otherwise wait a day when the professionals can reply to your query. >> > > restorecon exits immediately if SELinux is disabled, so you cannot use > it to label a tree on a non-SELinux build host. Dan wanted it that way > so that he could unconditionally invoke it from scripts and not have it > do anything if SELinux was disabled. > > setfiles however does support labeling even on a non-SELinux host. As > well as labeling an image that is being built with a "foreign" (i.e. > different from host) policy on a SELinux host, although you have to run > it in setfiles_mac_t for that purpose, as the livecd-creator does. > Actually, I did execute restorecon on a non-SELinux running image (see previous posts on this very thread) and it worked pretty damn well! It works without me doing anything in particular - just executing restorecon and semodule in the %post section of the kickstart file - no problem! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
