But a couple of times the last week the question came up about why doesn't touch /.autorelabel; reboot fix the labels on all files on the machine.
Certain directories on the machine have a file context of <<none>> in the /etc/selinux/POLICYTYPE/contexts/file_co
This tells the tool that files could be labeled anything in this directory so tools like restorecon, setfiles, fixfiles just leave the contents alone.
If you grep the file
# grep -i None /etc/selinux/targeted/contexts/files/fil
You will see 34 matches. Most of these are lost+found directories , spool directories, /var/run and tmp directories.
The one that usually causes problems though is /tmp. As Iblogged before System tools should never use this directory, but sadly some still do. If a confined domain tries to access a mislabeled file in /tmp and gets an access denied, a relabel of the file system will not help.
We used to remove the contents of /tmp when a user touch /.autorelabe; reboot, but this was considered too dangerous. Some users consider /tmp more permanant then others. Personally I always run my system with a tmpfs file system on /tmp, that way all the garbage gets removed on reboot. Easiest thing to do when you see one of these AVC's on /tmp is just to remove the files from /tmp and restart the service. For example if I had a problem with xdm accessing some mislabeled files in /tmp, I would
# rm -rf /tmp/.??* /tmp/*
Then restart my gdm service
If people have a better idea for solving this problem, I am all ears.