On Tue, 2010-06-29 at 00:35 +0100, Mr Dash Four wrote: > >>> Is that a necessary thing to do after installing a new module? My > >>> understanding is that relabelling only corrects the SELinux file > >>> attributes on every file on the system, so why would I need to do the > >>> relabelling when I have just installed a new policy? > >>> > >>> Also, if my assumption is correct then why would I need to have a > >>> running SELinux to do that? It is a great inconvenience and a real pain > >>> for scenarios I described in my previous posts! > >>> > >> Good points. i think you might indeed be able to run restorecon or > >> fixfiles/setfiles in %post, but i am not sure. > >> > >> I would suggest you try it. > >> > >> Otherwise wait a day when the professionals can reply to your query. > >> > > > > restorecon exits immediately if SELinux is disabled, so you cannot use > > it to label a tree on a non-SELinux build host. Dan wanted it that way > > so that he could unconditionally invoke it from scripts and not have it > > do anything if SELinux was disabled. > > > > setfiles however does support labeling even on a non-SELinux host. As > > well as labeling an image that is being built with a "foreign" (i.e. > > different from host) policy on a SELinux host, although you have to run > > it in setfiles_mac_t for that purpose, as the livecd-creator does. > > > Actually, I did execute restorecon on a non-SELinux running image (see > previous posts on this very thread) and it worked pretty damn well! > > It works without me doing anything in particular - just executing > restorecon and semodule in the %post section of the kickstart file - no > problem! rpm -q -f `which restorecon` grep selinuxfs /proc/filesystems restorecon checks is_selinux_enabled() and bails if it is not successful. Just tested it again on F13, and it has been true for a very long time. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
