On Thursday, 5 January 2017 11:09:49 PM AEDT Marco d'Itri wrote:
> > After creating symlinks please test if /sbin/restorecon (or
> > /usr/sbin/restorecon) exists, if it exists run "/sbin/restorecon $NAME"
> > where $NAME is the newly created link.
>
> Do you mean the /{bin,sbin,lib/,...}/ links
Yes.
> or each and every one that
> may be created e.g. in /usr/bin/ as replacement of an existing similar
> link?
I hadn't noticed any changes in that regard, which means that any links that
were recreated had the desired type by default. In almost all cases a symlink
under /usr will have the same type as the directory it's in which means that
it will work fine with the default context from when the package installation
scripts are run.
While there could possibly be an issue in that regard in future, it's unlikely
and could be considered a bug in policy.
But the wrong label on the links for /bin or /sbin can prevent users logging
in to the system (even root).
I suggest not bothering about the theoretical issue that may never happen in
practice and probably won't be serious anyway (the potential labels of links
under /usr) and just fix the proven repeatable problem that makes sysadmin
access impossible (labelling of /{bin,sbin,lib/,...}/ links).
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
