Nico Kadel-Garcia writes: > Until it breaks something, unpredictably. For example, restoration of > previously working software with "rsync" from another working system, > or "tar" from backup tape, will not set SELinux.
The solution here is to tell selinux to please rebuild the file permissions, as the next step after restore from tape, before trying to do anything with the system: restorecon -R -vv /restored/filesystem (the verbose option is of course not necessary, just entertaining) Is selinux worth it? There are a few extra steps, but I've been living with it enabled on my systems for years and it's not too hateful. It does use extra resources on I/O to verify things are ok, but most systems aren't running so close to the perfomance edge that anyone cares. Does it help defend a system? That's a lot harder to quantify - which is a true statement for any security measure. Why? Because they're supposed to work in layers. If someone gets around one defense, the next is supposed to be there to stop them. If it's not, you're screwed. If they never make it to that next layer, you'll never know if that next layer was ever worth it. -- Alec Habig, University of Minnesota Duluth Physics Dept. ha...@neutrino.d.umn.edu http://neutrino.d.umn.edu/~habig/