[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: yumex update gets post scriplet errors with SELINUX



On Thu, 2006-04-27 at 04:50 +1000, Michael D. Setzer II wrote:
> I've noteced that if I do a yumex update with selinux set, the background 
> screen will show post scriptlet errors, but saw an ealier message about 
> disabling selinux before doing the update shows no errors, but then after re-
> enabling it afterwards causes it to have to redo the selinux on the next boot. 
> 
> I am using the FC5 in my classroom, so have no problems with doing it, but 
> was wondering what the post scriptlet problems would cause. If you don't 
> look at the background screen, there is no indication of these errors, so 
> some might not notice them. Are these errrors a problem, or could they be 
> ignored? Is there any problem with disabling selinux, doing the updates, and 
> then re-enabling it?

There's probably a terminology issue here. Truly disabling SELinux
prevents proper file labels being assigned to files, which is why you
need to relabel the system after re-enabling SELinux. You can avoid this
by simply changing from "enforcing" mode to "permissive" mode whilst you
run yumex. This results in SELinux denials being logged, but the action
is allowed to take place anyway. You can then re-enable enforcing mode
and there's no need to relabel.

The sequence is:
# setenforce 0
# yumex
# setenforce 1

Failure of scriptlets can sometimes be harmless (e.g. updating an icon
cache that will get updated when the next package is installed) or
sometimes be serious (e.g. not creating a user account necessary for the
application to run, resulting in files being installed with the wrong
permissions and the application not working).

I think the problem with yumex and SELinux may be resolved in the latest
versions of yumex/selinux-policy actually, but I'm not sure if they are
available on the mirrors yet.

Paul.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]