On Tue, 2003-10-21 at 09:27, Russell Coker wrote:
  

Steve, chcon needs access to /selinux/context, is there any problem in putting 
in a macro such as the following and using it for all user domains?

define(`can_check_context', `
allow $1 security_t:dir search;
allow $1 security_t:file { read write };
allow $1 security_t:security { check_context };
')
    

This is a recent change to chcon in Dan's SRPM; doesn't exist in the
coreutil-selinux patch from the last release. It isn't truly necessary,
as the context will be checked when it is passed to the kernel via
setfilecon and that call will fail if the context is invalid, so it is
only useful if there is some benefit to catching such errors earlier.

Even if it is worth retaining in chcon, I would suggest distinguishing
between an errno of ENOENT and an errno of EINVAL, as the former may
just indicate that selinuxfs wasn't mounted or the kernel was a
non-SELinux kernel (but could still have the xattr handlers), and
letting the chcon proceed in the former case.  Otherwise, you won't be
able to use chcon if selinuxfs is unmounted or using a non-SELinux
kernel that has the xattr handlers.  I should likely make the same
change to setfiles.