restorecon: support a different root target path about selinux HOT 5 CLOSED

setfiles -r /path/to/altroot /path/to/altroot/etc/selinux/targeted/contexts/files/file_contexts /path/to/altroot
Used in meta-selinux for OpenEmbedded.
Alternatively, Android extends make_ext4fs (system/extras/ext4_utils) to support labeling the ext4 images when they are generated initially.

from selinux.

Also, I believe Yocto added support for setting xattrs in their generated ext[34] filesystem images as well, such that the model is that meta-selinux runs setfiles -r to set the contexts on the files and then the image generation tools fetch those xattrs and set them in the generated image. I prefer the Android approach (unsurprisingly, since I wrote it originally) because it doesn't require the build host OS to deal with the security contexts at all; make_ext4fs directly looks up the correct context in file_contexts (when passed the appropriate options) and sets the xattr values in the generated image, without ever having to set a context on a file in a mounted filesystem on the build host. Aside from efficiency, this has the benefit that it avoids a potential problem when the build host OS has SELinux enabled and the contexts being set are unknown to its SELinux policy.

from selinux.

Also, just FYI, setfiles and restorecon are the same program these days, just with different command line interfaces and default behaviors selected by argv[0]. The original SELinux implementation from us only had setfiles, which was intended to be used to label filesystems even before first booting SELinux (and this was the basis for FreeBSD setfsmac(8)). Later Dan Walsh created a simpler restorecon utility for users to run on a SELinux-enabled system to restore contexts to their initial state. Over time, restorecon kept adding more functionality, overlapping significantly with setfiles, and eventually we coalesced them back into a single program. restorecon though is still only intended for use on a SELinux-enabled system, whereas setfiles is appropriate for running on SELinux-enabled or -disabled hosts.

from selinux.

I'm going to close this issue since I think it is already supported adequately via setfiles -r, but re-open or submit a new one if you encounter problems. NB If running on a SELinux-enabled build host, then some machinations may be necessary to set security contexts unknown to the build host SELinux policy on files in this way.

from selinux.

I know it's a late response, but I just wanted to thank you for the super helpful information!

from selinux.