Hi folks, This is more of a curiosity question, and I haven’t found any answer yet. If I receive an AVC and sealert tells me to chcon –R –t something_log_t ‘./logs’ with a subsequent semanage then it goes into file_context.local exactly how I entered it. Cool, I would expect that. But it got me thinking about setfiles/restorecon, and what if I have another directory named logs that requires relabelling? For example, let’s say that today I find incorrect labelling on /somedir/logs and so I fix it with chcon/semanage. Then next year, I add a new application and it has /anotherdir/logs that is incorrectly labelled. SELinux is going to complain about ./logs again, so I may just cd into /anotherdir and do my chcon/semanage with another_log_t label to this ./logs. That would change the old label, I would think (unless I’m relabelling to the same label), and so now restorecon ./logs will apply the new label to whichever directory I would have to fix. Also, say I actually think about that beforehand and decide to use a full path in my restorecon command -- restorecon –v /somedir/logs -- will it be smart enough to know which logs entry in file_context.local I mean, or do I have to remember that I used a relative path when I created the entry and use that in the restorecon command? So I guess ultimately the question is, wouldn’t it be better for semanage to require full paths? Matt Shade
|
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
