[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: selinux autorelabel and amanda
- From: Stephen Smalley <sds tycho nsa gov>
- To: Gene Heskett <gene heskett verizon net>
- Cc: Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
- Subject: Re: selinux autorelabel and amanda
- Date: Wed, 07 Nov 2007 10:25:55 -0500
On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote:
> Greetings;
>
> I got bit pretty hard last night after installing 2.6.24-rc2, and it took
> about an hour to relabel the whole system.
>
> That was ok, and the logs are quieter now, but when it came time to run
> amanda, the relabel had apparently changed the ctime of everything on the
> system, so amanda tried to do all incrementals at level 0, and failed of
> course because the vtape was only 1/4 the size of the system.
>
> That flushed, and a couple more runs and it will be back to normal, but it
> seems to me that there should be an option to preserve ctimes when
> relabeling.
>
> Is that even possible?
Not if it actually set the label (extended attribute of the inode) -
that always updates the ctime.
The question though is why did a relabel occur in the first place, and
why were all the labels set? Normally, restorecon / setfiles only sets
a file label if it does not match the file contexts configuration,
although if run with -F, it will unconditionally set it.
ls -lc /path/to/somefile
restorecon -v /path/to/somefile
ls -lc /path/to/somefile
should show no change in ctime if the file was already correctly
labeled.
However, restorecon -Fv ./foo would force setting of the label, and thus
update the ctime.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]