On 05/25/2010 08:36 PM, Whit Blauvelt wrote: > > Thoughtful advice. Thanks. Is there some method to duplicate basic > configuration files across selinux servers without running restorecon for > each set of files that's copied over - that is, to copy them with their > selinux labels intact? Usually if you copy them directly to their destination, they'll have the correct context. If you copy it to a different location first (like /home/) and then move it into place, it'll have the context that it got when it was created (like user_home_t). I use bcfg2 to manage configuration files, for instance, and I don't believe that any SELinux contexts are broken as a result. >> From this limited example, it looks like selinux gets in the way of standard > administrative tasks, yet wouldn't be in the way at all of anyone who'd > acquired a shell within which they could run another shell and with that > call whatever program they like. No, it wouldn't, and it's not intended to. It is intended to confine your system daemons so that an attacker cannot overflow a buffer and execute arbitrary shell code (for instance).