Proposed F19 Feature: Dracut HostOnly
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 29 18:45:43 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/29/2013 01:34 PM, Simo Sorce wrote:
> On Tue, 2013-01-29 at 13:28 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 01/29/2013 11:20 AM, John Reiser wrote:
>>>>>> A generic fallback image should be installed by anaconda on
>>>>>> installation/update and never ever be removed.
>>>
>>>> Also, fallback has interesting security properties…
>>>
>>>
>>> "Rescue mode" forces a SELinux relabel at the next boot, and relabel
>>> can take a very long time.
>>>
>>> How does "fallback mode" handle this, particularly if there have been
>>> updates to SELinux policy after the fallback was created?
>>>
>> The reason for this is we do not know what files were created on the
>> system while SELinux was disabled (Policy Not Loaded). If you know you
>> did not created files on the system you could remove the /.autorelabel
>> file and boot without a relabel.
>
> Can we have a relabel mode that just searches only files changed after a
> specific date ? If we stored the time of last "good" shutdown somewhere it
> would mean we might be able to relabel only a minor subset of files, saving
> a lot of time ?
>
> Simo.
>
Well you would still need to search everywhere on the file system. for those
files. If the filesystem gave an easy way to find the latest fds that have
been changed, then ...
I guess we could compare any file created after /.autorelabel, and then get
the relabel to be
find / -newer /.autorelabel -print0 | restorecon -f - -0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlEIGNcACgkQrlYvE4MpobOm0QCgmD0eaIy8arEliV2EEOg68iPE
rjkAoKGTL1IhvVkqDM2phKbPqiyq+r+1
=zoBy
-----END PGP SIGNATURE-----
More information about the devel
mailing list