new kernel, new policy installed as .rpmnew
Colin Walters
walters at redhat.com
Thu Dec 30 17:04:06 UTC 2004
On Wed, 2004-12-29 at 21:42 -0500, Charles R. Anderson wrote:
> I just yum updated, and got the latest testing kernel and policy
> files:
>
> Install: kernel.i686 0:2.6.9-1.715_FC3
> Install: kernel-smp.i686 0:2.6.9-1.715_FC3
> [...]
> Update: selinux-policy-targeted.noarch 0:1.17.30-2.58
> Update: selinux-policy-targeted-sources.noarch 0:1.17.30-2.58
> [...]
> Installing: kernel-smp 100 % done 1/160
> warning: /etc/selinux/targeted/contexts/files/file_contexts created as /etc/selinux/targeted/contexts/files/file_contexts.rpmnew
> warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew
> Updating: selinux-policy-targeted 100 % done 2/160
>
> The FAQ says that the policy reloads automatically, and that a manual
> relabel may be necessary. It doesn't say anything about fixing the
> filenames that were named .rpmnew. How can the policy automatically
> reload when the file isn't named correctly?
This can happen when you have selinux-policy-targeted-sources installed.
It's complicated to solve; I think we ended up deciding that if you have
-sources installed, it's up to you to do a policy rebuild for new
versions.
> Since policy is tied to the kernel, what happens when I have more than
> one kernel installed, and I boot an older one from grub?
If you don't need to customize policy, deinstall the -sources package,
and move the .rpmnew files over the non-.rpmnew versions. Then this
problem goes away.
If you do need to customize policy, then you're probably best off
booting in non-enforcing mode after an update to test and ensure that
your changes work with the latest package. Keeping a custom policy is
nontrivial at the moment, and it's something I'd like to fix.
More information about the selinux
mailing list