On 03/19/2014 12:29 PM, Shade, Matt (US) wrote: > Hi folks, > > This is more of a curiosity question, and I haven’t found any answer yet. > > > > If I receive an AVC and sealert tells me to > > chcon –R –t something_log_t ‘./logs’ with a subsequent semanage > > then it goes into file_context.local exactly how I entered it. > > > > Cool, I would expect that. But it got me thinking about > setfiles/restorecon, and what if I have another directory named logs > that requires relabelling? > > > > For example, let’s say that today I find incorrect labelling on > /somedir/logs and so I fix it with chcon/semanage. > > Then next year, I add a new application and it has /anotherdir/logs that > is incorrectly labelled. SELinux is going to complain about ./logs > again, so I may just cd into /anotherdir and do my chcon/semanage with > another_log_t label to this ./logs. > > > > That would change the old label, I would think (unless I’m relabelling > to the same label), and so now restorecon ./logs will apply the new > label to whichever directory I would have to fix. > > > > Also, say I actually think about that beforehand and decide to use a > full path in my restorecon command -- restorecon –v /somedir/logs -- > will it be smart enough to know which logs entry in file_context.local I > mean, or do I have to remember that I used a relative path when I > created the entry and use that in the restorecon command? > > > > So I guess ultimately the question is, wouldn’t it be better for > semanage to require full paths? IMHO, that's a bug and should get a bugzilla on policycoreutils or libsemanage - paths in file_contexts* should always be absolute. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
