I'm noticing some files within a web directory with changed file contexts that deviates from system policy. There are developers that run git pull
against at a higher part of the web directory and I'm wondering if that could be the cause, but my tests have shown git to respect the SELinux labelling rules. To be explicit, this is not changing the labelling rules, just the labels on a specific directory and its decendents. And a restorecon -R
is enough to fix it.
Is it possible to track what makes changes to file contexts and when? Is that something auditd is capable of tracking? As it stands, the audit log and /var/log/secure do not show anything that obviously would have made the change. Is there a syscall I could instrument with ftrace or something?
How would one go about tracking down this change?