On 08. nov. 2013 01:06, Paul Robert Marino wrote: > Well its generally best to have it in permissive mode right from the install Just curious, why do you think so? I've never had any issues going straight to enforced mode. But it might depend on the extra packages being installed. > Interestingly though I usually use the fixfiles command instead of > restorecon > It makes it easy to backup and restore contexts on files and directories. The fixfiles utility actually uses restorecon under the hood. Using restorecon you need to tell it which files and directories to run through. With fixfiles, it will actually do more sanity checking of the files considered for relabelling, it can just verify if file contexts are correct without changing anything and so on. You can even use fixfiles to only relabel files belonging to a specific RPM package and so on. It's a handy tool, but it may not relabel everything you'd expect it to relabel. For example, if you have added your own directories, it may not touch those directories at all - even with explicit file contexts defined (using semanage fcontext). Using restorecon -R on a directory, you are 100% sure you'll get the correct file labelling, according to the policy, no matter where the files came from. The alternative to using restorecon is to do a full relabel job at boot, which can be quite time consuming on big file systems. (And a relabel at boot, uses restorecon as well) -- kind regards, David Sommerseth