Re: should runcon/chcon be priviledged commands ?

Well the type enforcement rules are controling what labels they can relabel from and what labels they can relabel to.

So a user_t user might be allowed to relabelfrom user_home_t to httpd_user_content_t to allow them to make content available to apache from within their home dir.

This is very different then the way traditional MLS machines worked. So they are not changing the sensitivity level of data, they are just labeling data from one type they control to another.

