On Wed, 10 Mar 2004 12:40, Tom Mitchell <mitch48(a)yahoo.com> wrote:
The more general question is that for Large Medium and small
updates....
there may always be a question when one or more "makes" in the policy
area will be needed. Is there a good way to check... will make
check-all do the right thing?
cd /etc/security/selinux/src/policy
make ????? # lots of choices...
make relabel # necessary? when and how to check ...
Is it necessary/useful to do stuff like this before or after a reboot?
Is there a difference from vanilla in how promptly a reboot and other
housecleaning for SELinux is needed? i.e. will audit go nuts...
In general use there should not be any need for a relabel except after severe
file system corruption, a backup/restore with non-XATTR aware backup
software, or booting a non-SE Linux kernel.
Also I have taken to adding an alternate boot section in
/boot/grub/grub.conf. Is this useful, useless, sane, silly,
underkill, overkill. Thus...:
Grub is really good for allowing you to edit the kernel command line before
booting it. So if you have problems you can always tell it to boot the
kernel with selinux=0 appended even if that is not in your grub.conf.
If you accidentally boot a non-SE kernel then /etc/mtab and a few other files
will get the wrong label, which will be really annoying for you. We are
working on these issues, but in the mean-time you probably don't want to make
it too easy to accidentally boot a non-SE kernel.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page