From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 04 Feb 2011 08:55:04 -0500 Subject: [refpolicy] Two issues with restorecon In-Reply-To: References: Message-ID: <4D4C0538.3030904@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/04/2011 08:14 AM, David H?rdeman wrote: > Two related issues I just discovered with restorecon (sorry, I'm not close > to my private laptop so I can't provide patches): > > 1) When running "restorecon -r /", restorecon (setfiles) wants to write an > audit message that the whole fs is being relabeled (only happens when doing > it on /), but the refpolicy doesn't seem to give setfiles_t access to write > audit messages which I guess it should. > > 2) When running "restorecon -r -n /", restorecon (setfiles) wants to write > the same audit message as above - which would be misleading since it's not > actually changing any labels. > Could you open two bugzillas The first one would be a policy issue. The second would be a polcycoreutils issue. There is a rule in MLS/LSPP that says a full relabel requires an audit message. Which is why setfiles/restorecon sends and audit message on restorecon -R -v /