2013/3/15 Stephen Smalley <sds@xxxxxxxxxxxxx>:f is truly a regular file and not a symlink pointing to a regular file?
f is a truly regular file.
before_t and after_t are both defined in the policy?
Only before_t was defined in the policy.
When I define after_t in the policy, both commands return the same
label (after_t).
But I wouldn't expect this to make a difference in the output of both
commands (as the only visible difference is lgetxattr() vs getxattr())
before_t and after_t are not type aliases of each other?
They are not.
What are the credentials (capabilities and SELinux security
context/permissions) of the process running the ls and getfattr commands?
It has unconfined_u:unconfined_r:before_t label with before_t type.
Same as the file f.
The process has full SELinux rights on both command and file.
Any relevant messages from SELinux in dmesg output?
No avc warnings in dmesg and audit.log. All looks good.