Description of problem: I'm currently testing a new init script for postgresql that does this to create a log file that's not known to selinux-policy-targeted: PGLOG=/var/lib/pgsql/pgstartup.log touch "$PGLOG" || exit 1 chown postgres:postgres "$PGLOG" chmod go-rwx "$PGLOG" [ -x /usr/bin/chcon ] && /usr/bin/chcon -t postgresql_log_t "$PGLOG" This works fine for me, but I have a report that someone else running the same coreutils release gets /usr/bin/chcon: can't apply partial context to unlabeled file /var/lib/pgsql/pgstartup.log Any idea why it fails for him, and what I can do about it? Version-Release number of selected component (if applicable): coreutils-5.2.1-31 How reproducible: 100% for him, 0% for me Steps to Reproduce: 1. See above, or install postgresql-8.0.0rc5-0.3 from fc4-scratch 2. 3. Actual results: Expected results: Additional info: See thread beginning at http://lists.pgfoundry.org/pipermail/pgsqlrpms-hackers/2005-January/000076.html
Well, like the error says, you can't have a partial label. Your /var/lib/pgsql/pgstartup.log file is already labelled and so it makes sense to change part of the label. Their file has no pre-existing label, and so what you're trying to do doesn't make sense. (Dan, is that right?)
Hm ... so how do I find out what label is on a file? I've looked through the man pages for the selinux commands I know about, and found nothing :-(
ls -Z
This says the file has no label to start, so you can specify just a partial context. So I believe the user is running on a unlabeled system. IE ls -Z shows no label. so chcon -t XYZ fails because there is no User or Role section.