Description of problem: "restorecon" on a symlink has entirely the wrong behaviour. It looks up the correct context for the symlink, but then applies that context to the file that the symlink points to. So, for example, "restorecon /bin/sh" will give bash the context system_u:object_r:bin_t instead of system_u:object_r:shell_exec_t. This breaks all manner of things. "restorecon -h" will work, but without -h, we do something completely broken. If we're going to follow the symlink when applying the context, then we need to follow the symlink when looking up the appropriate context, too. "restorecon" is what people will use to fix policy, it should really try to avoid this unexpected behaviour by default. Version-Release number of selected component (if applicable): policycoreutils-1.9-8 How reproducible: 100% Steps to Reproduce: # restorecon /bin/sh # ls -lZ /bin/bash Actual results: -rwxr-xr-x+ root root system_u:object_r:bin_t /bin/bash Expected results: -rwxr-xr-x+ root root system_u:object_r:shell_exec_t /bin/bash
I pulled out the handlng of symlinks and made it always set the context of the file handed to it, whether it is a symlink or a file. -h option removed. Available in policycoreutils-1.9-9