2

How can I see the history of file labels - who and when set them?

Right now SELinux reports that my /etc/resolv.conf with content # Generated by NetworkManager is mislabeled. It is now unlabeled_t and should be net_conf_t.

However, I am not sure if it is right or wrong. There might some race condition between some programs trying to set their labels on that file. Looking at history of changes to it may help me to understand what is going on.

anatoly techtonik
  • 2,644
  • The context is likely automatically assigned by the policy (instead of being manually changed) when the file is created. Which context is used depends on the creating process' security domain. resolv.conf possibly is updated by creating a new temporary file, writing configuration there and then moving the new file to replace old resolv.conf, hence label might be incorrect. – sebasth Oct 09 '18 at 10:16
  • I'm not sure if the listed duplicate would address an SELinux relabelling. I could, if the file gets re-written, but not if separate programs are calling semanage... – Jeff Schaller Oct 09 '18 at 11:38
  • @JeffSchaller inotify/other tools can be used to monitor when extended attributes are modified (which happens when file gets relabeled). Any modifications done to file context database (using semanage) is not reflected in filesystem before the target file is relabeled. The problem (and answer(s)) is essentially the same as in the other question. – sebasth Oct 09 '18 at 11:51

0 Answers0