I’ve been doing pretty good at finding answers without asking for the last year and a half, but I finally screwed up.
I was setting up a new workstaion install, I use 3 user profiles in a group. Multiple hard drives, I use one for the 3 users to read/write/execute, basically fulltime access whenever needed.
I Set up a new directory (vault) for the mountpoint, chmod, had access with the 3 users, all good except user 1 (all users) couldn’t create say a new folder/file inside a folder created by another user, delete was only thing that worked properly.
So I tried and failed at setting guid, I only checked it with the user setting it up, not right or maybe it was and all I needed to do was reboot. I deleted the directory, and now no boot.
TTY’d, created the directory back in, didn’t boot. There is 2 new files, .hcwd and .autorelabel, I was going to delete them, but decided to wait and ask.
I threw the white flag, first time. With it a one day install, 10hrs searching, tty on 4k, I yanked a copy of /home, popped my edited iso in (my programs, not defaults), install, swapped /homes, fully funtional in 30mins.
I will search a bit more selinux, always learning.
99.9% of the time I have no problems with selinux.
I run it in enforcing mode full time and it automatically labels files and directories with the proper context.
When switching from disabled to either permissive or enforcing the only requirement would be to initially relabel the selinux context for the entire system.
The steps would be to
edit /etc/selinux/config and set SELINUX=permissive and SELINUXTYPE=targeted`
reboot
run the command sudo fixfiles onboot
or
run the command sudo restorecon -RF /
Either command will restore the selinux context across the entire file system. The first does so during boot and must complete before it will finish booting. The second does so while the system is running and must be allowed to complete before doing a shutdown or reboot.
after step 3 completes it is simple to edit the /etc/selinux/config file again and set SELINUX=enforcing then reboot.
At this point selinux should be in enforcing mode and should keep the file system context properly labeled for you. (Permissive mode also keeps things properly labeled but does not enforce the policies.