On Thu, 2007-10-25 at 09:11 -0700, Steve G wrote: > Hi, > > I was testing the new policy writing GUI in rawhide, and removed a > policy module. Prelink ran while I was working on a better policy > module and gave me a bunch of AVCs since the binaries are now > considered unlabeled_t. I was thinking that semodule should be able to > get to the file regexes that describes the files that the policy > module was responsible for. So why doesn't it save those regexes and > use them to do a restorecon after the module is removed? It might not > get all the files that are mislabeled due to the policy module being > removed, but it would be much better than doing nothing. Well, at present, semodule / libsemanage never causes anything to be relabeled automatically - you install a policy module via semodule -i and then install or restorecon the files, you add local file contexts via semanage and then install or restorecon the files, etc. So what you seem to be after is fully integrated policy changes with relabeling, including not only module removal but also module install, local file context addition or removal, etc. Ideally of course the files would be relabeled or removed _before_ the policy module was fully removed, so that they never exist in an unlabeled state at all. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
