Proposed F19 Feature: Dracut HostOnly
Simo Sorce
simo at redhat.com
Tue Jan 29 18:34:16 UTC 2013
On Tue, 2013-01-29 at 13:28 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/29/2013 11:20 AM, John Reiser wrote:
> >>>> A generic fallback image should be installed by anaconda on
> >>>> installation/update and never ever be removed.
> >
> >> Also, fallback has interesting security properties…
> >
> >
> > "Rescue mode" forces a SELinux relabel at the next boot, and relabel can
> > take a very long time.
> >
> > How does "fallback mode" handle this, particularly if there have been
> > updates to SELinux policy after the fallback was created?
> >
> The reason for this is we do not know what files were created on the system
> while SELinux was disabled (Policy Not Loaded). If you know you did not
> created files on the system you could remove the /.autorelabel file and boot
> without a relabel.
Can we have a relabel mode that just searches only files changed after a
specific date ?
If we stored the time of last "good" shutdown somewhere it would mean we
might be able to relabel only a minor subset of files, saving a lot of
time ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list