Hello, I'm trying to address a known "issue" where SELinux context of files in SELinux store gets changed on policy rebuild. This triggers some system verification tools and unnecessarily raises concerns in users. I created a patch using getfilecon and setfscreatecon, but am not sure if this is the best approach since it will not fix a context that has already been changed. Also, any files created as a result of execve need to be addressed separately (e.g. file_contexts.bin), maybe using selabel_lookup to get the proper label since that way sefcontext_compile does not need to know the path to the SELinux store (only to sandbox). I considered relabeling the whole sandbox before semanage_commit_sandbox, but that seems wasteful. Then there is a related issue where the rebuild is performed as a non-root user, causing files in the policy store to change ownership. \# capsh --user=testuser --caps="cap_dac_override+eip cap_setpcap+ep" --addamb=cap_dac_override -- -c "semodule -B" This can actually cause issues in some scenarios (e.g. remote login failing). Addressing this seems to require more drastic measures. My attempts to use "chown" failed, even with the CAP_CHOWN capability and using seteuid/setegid does not seem safe. Any suggestions would be appreciated. Thank you. Vit
