Inconsistent behavior with semanage

Why is that if I use "chcon -t slapd_db_t file" to change the type context of a file, it reverts with "restorecon file", but if I use "chcon -u system_u" to change the user context, restorecon has no effect.

When I try to use semanage to set the user context permanently, e.g.,

semanage fcontext -m -s system_u file;
restorecon -R -v file

it has no effect at all. But if I use chcon to do it, the user context is changed, and the change is persistent.

I expect this kind of "i before e except after c" stuff in spoken languages that evolved over thousands of years, but not in software where every aspect has been deliberately engineered. Am I missing something here?

answered 2013-02-07

restorecon does not effect User component of the SELinux context unless you specify the -f flag.

semanage fcontext -m -t TYPE file

is the proper command, it is really used to set the file type not the file SELinux user. I am surprised the semanage command you specified even works. I would bet the -s command is ignored.

BTW SELinux user component on file is totally ignored by SELinux as far as enforcement of rules. The Type field is the important field.

On Fedora 18 this would give you an error.

semanage fcontext -a -s system_u /dan

/sbin/semanage: SELinux Type is required

