On 08. nov. 2013 01:06, Paul Robert Marino wrote:
> Well its generally best to have it in permissive mode right from the install

Just curious, why do you think so?  I've never had any issues going
straight to enforced mode.  But it might depend on the extra packages
being installed.

> Interestingly though I usually use the fixfiles command instead of
> restorecon
> It makes it easy to backup and restore contexts on files and directories.

The fixfiles utility actually uses restorecon under the hood.  Using
restorecon you need to tell it which files and directories to run through.

With fixfiles, it will actually do more sanity checking of the files
considered for relabelling, it can just verify if file contexts are
correct without changing anything and so on.  You can even use fixfiles
to only relabel files belonging to a specific RPM package and so on.
It's a handy tool, but it may not relabel everything you'd expect it to
relabel.

For example, if you have added your own directories, it may not touch
those directories at all - even with explicit file contexts defined
(using semanage fcontext).  Using restorecon -R on a directory, you are
100% sure you'll get the correct file labelling, according to the
policy, no matter where the files came from.  The alternative to using
restorecon is to do a full relabel job at boot, which can be quite time
consuming on big file systems.  (And a relabel at boot, uses restorecon
as well)


--
kind regards,

David Sommerseth