selinux autorelabel and amanda

Stephen Smalley sds at tycho.nsa.gov
Wed Nov 7 15:25:55 UTC 2007


On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote:
> Greetings;
> 
> I got bit pretty hard last night after installing 2.6.24-rc2, and it took 
> about an hour to relabel the whole system.
> 
> That was ok, and the logs are quieter now, but when it came time to run 
> amanda, the relabel had apparently changed the ctime of everything on the 
> system, so amanda tried to do all incrementals at level 0, and failed of 
> course because the vtape was only 1/4 the size of the system.
> 
> That flushed, and a couple more runs and it will be back to normal, but it 
> seems to me that there should be an option to preserve ctimes when 
> relabeling.
> 
> Is that even possible?

Not if it actually set the label (extended attribute of the inode) -
that always updates the ctime.

The question though is why did a relabel occur in the first place, and
why were all the labels set?  Normally, restorecon / setfiles only sets
a file label if it does not match the file contexts configuration,
although if run with -F,  it will unconditionally set it.

ls -lc /path/to/somefile
restorecon -v /path/to/somefile
ls -lc /path/to/somefile

should show no change in ctime if the file was already correctly
labeled.

However, restorecon -Fv ./foo would force setting of the label, and thus
update the ctime.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list