On Sat, 31 Jul 2004 05:22, Karsten Wade <kwade(a)redhat.com> wrote:
On Thu, 2004-06-10 at 06:44, Daniel J Walsh wrote:
> After running fixfiles relabel you should always reboot in order to
> start programs under the right context, If you do this in level 5 there
> is a chance the applications will write files out with bad context after
> the relabel, before the reboot.
Is it sufficient to do this in run level 3? So far it's worked for me,
but is it risky?
As has been mentioned 3 is equivalent to 5 for such things.
If the machine booted in enforcing mode and was never in permissive mode then
the number of programs which could be in the wrong domain and which could
create files with the wrong context on shutdown is small.
If you are running in permissive mode with bad labelling then it's quite
likely that programs are in the wrong domain but the only real problem
is /etc/mtab which will have restorecon run on it at boot time.
If you change from targetted to strict policy then you can have user processes
running in the wrong context. In my lab on writing SE Linux policy at the
IBM Technical University the students had a problem because they were using
OpenOffice to read the lab notes (didn't have time to get then printed) and
when running in unconfined_t OO had created a socket in /tmp which it
couldn't access after rebooting in enforcing mode with strict policy.
My NSA Security Enhanced Linux packages
Bonnie++ hard drive benchmark
Postal SMTP/POP benchmark
My home page