>> Actually, I did execute restorecon on a non-SELinux running image (see >> previous posts on this very thread) and it worked pretty damn well! >> >> It works without me doing anything in particular - just executing >> restorecon and semodule in the %post section of the kickstart file - no >> problem! >> > > rpm -q -f `which restorecon` > grep selinuxfs /proc/filesystems > > restorecon checks is_selinux_enabled() and bails if it is not > successful. Just tested it again on F13, and it has been true for a > very long time Let me make sure we are on the same page - the SELinux on the system I am running to build the image is enabled (in enforced mode) and running the targeted policy. The commands I am executing (semodule, semanage, restorecon etc) are ran in the %post section of my kickstart file (the file, which is executed and used to build that image) - these commands are basically executed in chroot-ed environment (on the image file) just after it has been created and all software, including SELinux + targeted policy, is installed (the SELinux there is enabled and ready for using the targeted policy, but it is NOT running as nothing is loaded - it is just an image with about 200+MB worth of files in it). All of the above SELinux commands run successfully without any problem whatsoever. I have verified that and I am 100% certain they are doing the job they are supposed to be doing on the image file (with the 'dead' SELinux system). So, if you are thinking that is not possible, you are quite simply wrong, because it is clear to me that is not the case - I saw this with my own eyes! -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
