selinux autorelabel and amanda
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 7 15:25:55 UTC 2007
On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote:
> Greetings;
>
> I got bit pretty hard last night after installing 2.6.24-rc2, and it took
> about an hour to relabel the whole system.
>
> That was ok, and the logs are quieter now, but when it came time to run
> amanda, the relabel had apparently changed the ctime of everything on the
> system, so amanda tried to do all incrementals at level 0, and failed of
> course because the vtape was only 1/4 the size of the system.
>
> That flushed, and a couple more runs and it will be back to normal, but it
> seems to me that there should be an option to preserve ctimes when
> relabeling.
>
> Is that even possible?
Not if it actually set the label (extended attribute of the inode) -
that always updates the ctime.
The question though is why did a relabel occur in the first place, and
why were all the labels set? Normally, restorecon / setfiles only sets
a file label if it does not match the file contexts configuration,
although if run with -F, it will unconditionally set it.
ls -lc /path/to/somefile
restorecon -v /path/to/somefile
ls -lc /path/to/somefile
should show no change in ctime if the file was already correctly
labeled.
However, restorecon -Fv ./foo would force setting of the label, and thus
update the ctime.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list