On Fri, 05 Sep 2014 14:05:57 -0500, Jonathan Abbey wrote: | | Given that this is happening with max_watches set far too low to | handle recursive directory watches under /home, I'm going to assume | that the restorecond code at selinuxproject actually does closely | reflect what RHEL 6 is shipping, and recursion just isn't supported | with restorecond.
And after re-reading the comment on restored.conf at
http://selinuxproject.org/page/GlobalConfigurationFiles
I see that I misinterpreted the meaning of "~/*". It says that it "expands to listen for all files created for all logged-in users within their home directories". I took that to be recursively within their home directories, but apparently not.
Jon
Yes recursively would be far too expensive of an operation.
If you look at RHEL7, we introduce file_name_transitions, which allow us to do a better job of labeling files/directories on creation.
https://danwalsh.livejournal.com/46018.html
On 09/05/2014 03:09 PM, Jonathan Abbey wrote:
On Fri, 05 Sep 2014 14:05:57 -0500, Jonathan Abbey wrote: | | Given that this is happening with max_watches set far too low to | handle recursive directory watches under /home, I'm going to assume | that the restorecond code at selinuxproject actually does closely | reflect what RHEL 6 is shipping, and recursion just isn't supported | with restorecond.
And after re-reading the comment on restored.conf at
http://selinuxproject.org/page/GlobalConfigurationFiles
I see that I misinterpreted the meaning of "~/*". It says that it "expands to listen for all files created for all logged-in users within their home directories". I took that to be recursively within their home directories, but apparently not.
Jon
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org