SElinux on upgraded machines

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno Wolff III wrote:
> On Mon, Dec 15, 2008 at 09:05:42 -0500,
>   Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>> "semanage fcontext -C -l" will list your local changes. Unfortunately the
>>> format of the output is not the same as the format for input. But if you
>>> don't have too many changes its not bad to do the set up again.
>>>
>> What format would you like to see?  Patches accepted :^)
> 
> In theory something like the following would work:
> semanage fcontext -C -l > saved_local_changes
> And then on other system to which the file has been copied:
> sh saved_local_changes
> work work and add the previous changes.
> 
How about something like

semanage fcontext -C -l -F saved_local_changes
semanage fcontext -a -F saved_local_changes

> Actually I think the fcontext stuff could really use some tool in front of
> it that works with directories and some limited set of file name patterns
> rather than an ordered set of full regular expressions. 
There was some experimental work done using globs instead of Regular
Expressions by TreSys (Fglob?), but I have not heard anything about it
recently.
> The current system is error prone and a pain to manage. 
I agree.  I get tripped up by it also.
> If you need to add something in the middle,
> you need to go back and delete stuff one by one, add the new rule and then
> put the old ones back one by one. As far as I know there is no analysis
> of conflicting rules (say where a more general pattern covers a preceding
> more specific pattern) that should be flagged as potential errors.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklGajwACgkQrlYvE4MpobOw5ACgmJpHgw+gS0ijVYs90ugsua+P
8rAAoN2L94+fvnGATS1+CMbd7NzIWPw4
=yopE
-----END PGP SIGNATURE-----