On 14/03/13 06:23, Gordon Messmer wrote: > On 03/12/2013 04:07 PM, Kahlil Hodgson wrote: >> If you are upgrading from 6.3 to 6.4 and you use shorewall, you will >> want to run >> >> restorecon -Rv /sbin > > That's odd. Part of the selinux postinstall script involves running > "fixfiles" on any files whose context has changed. I confirmed that the > iptables contexts changed when I ran restorecon on one system, but I > can't understand why they weren't fixed by the postinstall script. My thoughts exactly. Just doubled checked the postinstall script and can't see any obvious bugs. Hmmm ... If I compare the old and new file_context files ... <rizo:~> diff file_contexts.new file_contexts.old | grep ip6?tables-multi > /sbin/ip6?tables-multi -- system_u:object_r:iptables_exec_t:s0 < /sbin/ip6?tables-multi.* -- system_u:object_r:iptables_exec_t:s0 so the postinstall script runs (esentially) fixfiles -C file_contexts.old restore which tries to fix the context for a /sbin/ip6?tables-multi which does not exist on the updated system (which now uses alternatives trickery to version these). K -- Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd (w) +61 (0) 3 9008 5281 Suite 1415 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925