* Daniel J Walsh <dwalsh@redhat.com> [2004-10-18 22:40]:
> We are beginning to look into how we could support clusters with SELinux. 
> Usually in clusters you move your configuration off on to some shared 
> storage.
> 
> So you might do a cp -a  /var/named /shared/var/named
> 
> We need some way of relabeling these directories with file context.  My 
> idea is to add an alternate
> root qualifier to restorecon

One thing to note here is that restorecon becomes more dangerous with
your changes. Right now restorecon is relatively safe in that you can
only change file labels to their system default. It would probably be
acceptable in most environments to give users access to restorecon so
they could properly set labels for files in their home dir.

With your changes and this scenario, users could do something like
        restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
and start reading /etc/shadow.
So I am not sure this is the right way.

Thomas


-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7