Relabeling A File System - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

[root@host2a ~]# sestatus -b | grep httpd | grep on$
httpd_builtin_scripting
httpd_disable_trans
httpd_enable_cgi
httpd_enable_homedirs
httpd_unified

45.2.2. Relabeling a File System

You may never need to relabel an entire file system. This usually occurs only when labeling a file
system for SELinux for the first time, or when switching between different types of policy, such as
changing from the targeted to the strict policy.
Relabeling a File System Using init
The recommended method for relabeling a file system is to reboot the machine. This allows the init
process to perform the relabeling, ensuring that applications have the correct labels when they are
started and that they are started in the right order. If you relabel a file system without rebooting, some
processes may continue running with an incorrect context. Manually ensuring that all the daemons are
restarted and running in the correct context can be difficult.
Use the following procedure to relabel a file system using this method.
touch /.autorelabel
reboot
At boot time, init.rc checks for the existence of /.autorelabel. If this file exists, SELinux
performs a complete file system relabel (using the /sbin/fixfiles -f -F relabel command),
and then deletes /.autorelabel.
Relabeling a File System Using fixfiles
It is possible to relabel a file system using the fixfiles command, or to relabel based on the RPM
database:
Use the following command to relabel a file system only using the fixfiles command:
fixfiles relabel
Use the following command to relabel a file system based on the RPM database:
fixfiles -R <packagename> restore
Using fixfiles to restore contexts from packages is safer and quicker.
Caution
Running fixfiles on the entire file system without rebooting may make the system
unstable.
on
on
on
on
on
Relabeling a File System
759