new kernel, new policy installed as .rpmnew

[Colin Walters]

On Wed, 2004-12-29 at 21:42 -0500, Charles R. Anderson wrote:
> I just yum updated, and got the latest testing kernel and policy 
> files:
> 
>   Install: kernel.i686 0:2.6.9-1.715_FC3
>   Install: kernel-smp.i686 0:2.6.9-1.715_FC3
> [...]
>  Update: selinux-policy-targeted.noarch 0:1.17.30-2.58
>  Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58
> [...]
> Installing: kernel-smp 100 % done 1/160 
> warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew
> warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew
> Updating: selinux-policy-targeted 100 % done 2/160 
> 
> The FAQ says that the policy reloads automatically, and that a manual
> relabel may be necessary.  It doesn't say anything about fixing the
> filenames that were named .rpmnew.  How can the policy automatically
> reload when the file isn't named correctly?

This can happen when you have selinux-policy-targeted-sources installed.
It's complicated to solve; I think we ended up deciding that if you have
-sources installed, it's up to you to do a policy rebuild for new
versions.

> Since policy is tied to the kernel, what happens when I have more than
> one kernel installed, and I boot an older one from grub? 

If you don't need to customize policy, deinstall the -sources package,
and move the .rpmnew files over the non-.rpmnew versions.  Then this
problem goes away.

If you do need to customize policy, then you're probably best off
booting in non-enforcing mode after an update to test and ensure that
your changes work with the latest package.  Keeping a custom policy is
nontrivial at the moment, and it's something I'd like to fix.