Not good
Stephen Smalley
sds at epoch.ncsc.mil
Mon Apr 5 15:34:06 UTC 2004
On Mon, 2004-04-05 at 11:27, Gene Czarcinski wrote:
> 3. From what I see, there is no reason to have the policy package at all since
> policy-sources will build the needed files (except for
> /etc/security/{default_contexts,default_type,failsafe_context} and they could
> be in policy-sources too.
As I understand it, the intent of policy is to support minimal installs,
where the policy-sources and associated dependencies are not desirable.
However, note that policy updates can't preserve local customizations,
e.g. tunables or users, whereas policy-sources updates do. If you have
never customized your policy at all, then you should just be able to
update policy. If you have customized your policy and rebuilt it, then
the %config(noreplace) should protect the binary policy against direct
policy updates, and should protect tunables and users against
policy-sources updates.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list