the labeling procedure

[Stephen Smalley]

On Mon, 2005-06-27 at 12:00 -0400, Steve Brueckner wrote:
> When I run #make relabel, /home gets labeled as default_t.  However, when I
> run #/sbin/restorecon /home, /home gets labeled as home_root_t.  This
> confuses me, since according to the O'Reilly book both commands refer to
> /src/policy/file_contexts/file_contexts.  Where else might /sbin/restorecon
> be getting its information from?

restorecon doesn't rely on having policy sources
(selinux-policy-targeted-sources) installed.  It uses the installed
file_contexts configuration created by the policy
(selinux-policy-targeted) package.  That lives
under /etc/selinux/targeted/contexts/files.

make relabel is run from the policy sources directory, and thus works
from the policy sources.  But fixfiles and restorecon are what you would
typically use on a production system, and they operate on the installed
file.  A make install in the policy sources directory should overwrite
the installed file with the one built from the sources directory, but it
sounds like you shouldn't do that at present, as it sounds as though
there is something wrong with your policy sources (or possibly the
associated build tools, e.g. genhomedircon from policycoreutils).

> I also notice that my context/files/file_contexts file is stale.  Doing
> #make relabel or #make reload doesn't update it.  Does this file ever get
> referenced anyway, since all the relabeling utilities seem to use
> /src/policy/file_contexts/file_contexts instead?  If it does get used, who
> uses it?  And how can I be sure it gets updated to match
> src/policy/file_contexts/file_contexts?

SELinux utilities don't rely on having the policy sources available, as
you likely don't want them on production systems.  make relabel is
really only for developers, and hardly used at all anymore (it predates
having fixfiles and restorecon).

-- 
Stephen Smalley
National Security Agency