/sbin/restorecon and hard links
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 15 15:16:38 UTC 2006
On Wed, 2006-02-15 at 10:09 -0500, Stephen Smalley wrote:
> On Wed, 2006-02-15 at 09:50 -0500, Chuck Anderson wrote:
> > Restores from backup. Until our backup utility supports extended
> > attributes, we will have to use restorecon so at least the default
> > labels are set up properly.
>
> In the file restoration case, you are re-creating files under /home, so
> they won't be hard links to system files, and presumably the user isn't
> allowed to login while you are restoring his home directory, so he can't
> create any links during that process.
>
> > Also, assuming we do backup extended attributes, will this problem
> > still exist when restoring them from backup?
>
> You won't have to run restorecon in that case, and the restore utility
> presumably would just set the attributes as it creates each file, so
> likely not. But remember that targeted policy doesn't confine users,
> only specific programs/daemons, so if you are using it, you aren't
> relying on SELinux to counter malicious users at all, so this is no
> different.
By the way, /etc/profile.d/selinux.* already runs restorecon by default
when the user logs in on certain user files and directories to ensure
that they are labeled properly.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list