Bunch of different selinux inconsistencies: The following have a different restore context from what comes out-of-the-box from the rpm: /etc/rc.d/rc.local rpm: system_u:object_r:initrc_exec_t (I think) restorecon: system_u:object_r:etc_t /etc/init.d/functions rpm: (I forget exactly but ended in something with bin_t) restorecon: system_u:object_r:etc_t /etc/init.d/resolv.conf rpm: system_u:object_r:net_conf_t (I think) restorecon: system_u:object_r:etc_t /etc/exports rpm: system_u:object_r:exports_t restorecon: system_u:object_r:etc_t /etc/cups/printers.con rpm: system_u:object_r:cupsd_rw_etc_t restorecon: system_u:object_r:cupsd_etc_t
I am not sure what you are saying but the correct context for all these files is /etc/rc.d/rc.local rpm: system_u:object_r:initrc_exec_t (I think) restorecon: system_u:object_r:etc_t /etc/init.d/functions system_u:object_r:bin_t /etc/init.d/resolv.conf This file does not exist? If it did and was a file it would be initrc_exec_t /etc/exports system_u:object_r:exports_t /etc/cups/printers.con system_u:object_r:cupsd_etc_t matchpathcon FILE_PATH Will tell you the system default context. But make sure these are files. The label on a symbolic link and a file might be different.
Sorry for lack of clarity -- by restorecon, I meant matchpathcon (I believe that restorecon -n gives the same result as matchpathcon when the context is wrong) The issues remain using matchpathcon - (i.e. I get the same context as I noted before under restorecon). These DIFFER from what you suggested matchpathcon should give. Specifically, $matchpathcon /etc/rc.d/rc.local /etc/rc.d/rc.local system_u:object_r:etc_t:s0 $ matchpathcon /etc/init.d/functions /etc/init.d/functions system_u:object_r:etc_t:s0 $ matchpathcon /etc/resolv.conf /etc/resolv.conf system_u:object_r:etc_t:s0 $ matchpathcon /etc/exports /etc/exports system_u:object_r:etc_t:s0 $ matchpathcon /etc/cups/printers.conf /etc/cups/printers.conf system_u:object_r:cupsd_rw_etc_t:s0 Again I am using a fresh install of F8 with: selinux-policy-devel-3.0.8-56.fc8.noarch.rpm selinux-policy-targeted-3.0.8-56.fc8.noarch.rpm So, again I am not sure why matchpathcon is giving different answers from what I get from the install rpms.
ls -l /etc/rc.d/rc.local /etc/resolv.conf /etc/exports /etc/cups/printers.conf
Dan, OK. I think I figured out the source of the problem. I was using links but hadn't realized that having a link would *change* the response of matchpathcon - this is not obvious from the manpage "matchpathcon - get the default SELinux security context for the specified path from the file contexts configuration" -- I had (mis)interpreted this to mean that the response was only dependent on the path and not on the file itself (or lack thereof).
If you have a better wording I will update the matchpathcon man page.
Dan, I wish I could help but I really don't know how 'matchpathcon' works. The description says "get the default SELinux security context for the specified path from the file contexts configuration" But it seems to me that it is doing something more like: Given a path, if a file exists then get the default security context for the file based on the security context configuration for the file type and ownership that currently exists at the path point. If there is no file existing at the path then get the default security context assuming that the path represents a standard file. I know the above is imprecise and sounds a bit gobbly-gook but I truly don't know what the function actually does.