On 05/25/2010 08:36 PM, Whit Blauvelt wrote:
Thoughtful advice. Thanks. Is there some method to duplicate basic configuration files across selinux servers without running restorecon for each set of files that's copied over - that is, to copy them with their selinux labels intact?
Usually if you copy them directly to their destination, they'll have the correct context. If you copy it to a different location first (like /home/) and then move it into place, it'll have the context that it got when it was created (like user_home_t).
I use bcfg2 to manage configuration files, for instance, and I don't believe that any SELinux contexts are broken as a result.
From this limited example, it looks like selinux gets in the way of standard
administrative tasks, yet wouldn't be in the way at all of anyone who'd acquired a shell within which they could run another shell and with that call whatever program they like.
No, it wouldn't, and it's not intended to. It is intended to confine your system daemons so that an attacker cannot overflow a buffer and execute arbitrary shell code (for instance).