restorecon and targeted policy

[Russell Coker]

It seems that restorecon needs to be handled in the targeted policy in the 
same way as udev.

I've just been working on setting up kickstart installs for FC4T1 machines 
with strict policy.  I use lokkit in the kickstart %post to convert it to 
strict policy before the first boot.  When it boots up the rc.sysinit calls 
to restorecon fail if unlimitedRC is not defined (IE a more strict than 
default config of the strict policy).

We probably don't need to actually define types for this, just adding 
appropriate typealias rules should do as long as the .fc file is there.

The same applies to fsadm and mount.  It will also apply to anything else that 
can be run before all file systems are mounted.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page