I've done a lot of chcon-ing lately,but if I understand it correctly, these will be erased on the next relabel. Is there any way to make the current contexts (preferably just under a certain directory) permanent? I understand there's a way to do it using semanage, but that means going back through and checking the context of every file and invoking semanage to set a rule. So is there some automated way to do it?
Asked
Active
Viewed 5,226 times
9
brianmearns
- 674
2 Answers
5
First up, you are correctin that semanage fcontext -a -t <type> <filepattern> makes file changes permanent by adding them to the policy - you'll need to relabel or restorecon -R -v <filepattern> to apply those changes. chcon does not alter policy, just the on-disk context.
You can generate a list of differences to your labelled policy with matchpathcon, specifically:
matchpathcon -V /path/to/file
Unfortunately it has no recursive option, probably due to the fact that walking the tree would be expensive, but you could drive it with:
find / -exec matchpathcon -V {} \;
However, be careful. I believe find will traverse all file system mounts including filesystems without extended attributes (xattrs) which might cause problems. Of course, if all your file systems have extended attributes there isn't a problem.
Once you have this list, you could then write a script to pick out those you'll semanage. I don't know of an automated way to do this in one hit, however.
3
Using matchpathcon with find is very slow. Why not use restorecon?
restorecon -rnv /path/to/dir
the flags are recursive, no-changes, and verbose.
jasonwryan
- 73,126
user33688
- 31
- 1