I am trying to change the security context of a package I manually installed. I cannot become adm_r by using newrole, but I assume that this is not necessary because that package is in Extras and I log into root with su -. I cannot find any information in the Fedora documentation to suggest that I need to change roles to chcon files as root, so I assume this behavior is a bug. Here is the problem I have: [root@localhost ~]# chcon -t procmail_t /usr/local/var/dspam/data/evan/evan.lock chcon: failed to change context of /usr/local/var/dspam/data/evan/evan.lock to user_u:object_r:procmail_t: Permission denied And the AVC message is: avc: denied { relabelto } for comm='"chcon"' dev='hda1' egid='0' euid='0' exe='"/usr/bin/chcon"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0' name='"evan.lock"' pid='11151' scontext=user_u:system_r:unconfined_t:s0 sgid='0' subj='user_u:system_r:unconfined_t:s0' suid='0' tclass='file' tcontext=user_u:object_r:procmail_t:s0 tty='pts0' uid='0'
Confirmed. selinux-policy-targeted-2.4.6-1.fc6 touch /tmp/foo chcon -t procmail_t /tmp/foo
procmail_t is a domain context not a file_context. You can only chcon file contexts. Please ask questions on fedora-selinux-list