restorecond

Paul Howarth paul at city-fan.org
Tue Jul 18 13:32:27 UTC 2006 

Just came across restorecond and noticed a few things:

policycoreutils doesn't do "chkconfig --add restorecond" in %post, nor 
"chkconfig --del restorecond" in %preun (if the package is about to be 
deleted). If it did this, restorecond would be enabled by default, which 
is probably not what was wanted, but changing the initscript to have:

# chkconfig:    - 10 90
instead of:
# chkconfig:    2345 10 90

then the service would not be enabled by default and could safely be 
"chkconfig --add"-ed. It would then show up properly in the output of 
"chkconfig --list"



Is the config file /etc/selinux/restorecond.conf (as per the contents of 
the policycoreutils package and the string in the binary of 
restorecond), or /etc/selinux/POLICYTYPE/restorconfiles.conf (as per the 
manpage)?


Why does the restorecond service sometimes take so long to start up? 
Well, it took a minute or so on one machine I have, and started almost 
immediately on another, slower machine. I suspect that the answer may be 
something to do with the fact that the fast machine has NFS-mounted home 
directories and it tried accessing ~/public_html for all of them. Which 
resulted in lots of these:

type=AVC msg=audit(1153227661.751:51137): avc:  denied  { create } for 
pid=17967 comm="restorecond" scontext=user_u:system_r:restorecond_t:s0 
tcontext=user_u:system_r:restorecond_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1153227661.751:51137): arch=40000003 syscall=102 
success=no exit=-13 a0=1 a1=bfc93224 a2=d47ff4 a3=999c378 items=0 
pid=17967 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="restorecond" exe="/usr/sbin/restorecond"
type=SOCKETCALL msg=audit(1153227661.751:51137): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1153227661.751:51138): avc:  denied  { create } for 
pid=17967 comm="restorecond" scontext=user_u:system_r:restorecond_t:s0 
tcontext=user_u:system_r:restorecond_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1153227661.751:51138): arch=40000003 syscall=102 
success=no exit=-13 a0=1 a1=bfc9336c a2=3bf0a8 a3=999c378 items=0 
pid=17967 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="restorecond" exe="/usr/sbin/restorecond"

Removing the home directory references from 
/etc/selinux/restorecond.conf certainly made it faster.

Paul.

More information about the fedora-selinux-list mailing list