I would like to add getfileconperm and setfileconperm to libselinux.  
This will set a flag to indicate whether the security context of the
file was set via chcon (Permanently) or via setfiles/restorecon.  If 
this patch is approved, I have patches to coreutils and policycoreutils
to use them.

chcon will always set the permanent flag.

restorecon and setfiles will ignore permanent files, unless the -F flag 
is passed which will cause them to modify the
context.

Examples of where a sysadmin would want to use this is for html pages.

What do you think?

Downsides:
It will cause restorecon and setfiles to run a little slower.
It is not atomic so chcon could set the file context and not set the 
permanent flag.

Dan