selinux policy updates - a question
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 5 13:56:33 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim wrote:
> On Sun, 2009-01-04 at 12:36 -0800, Mike Cloaked wrote:
>> Fairly regularly there are selinux updates that come in during yum
>> updates - I presume that nothing gets changed unless a relabel is
>> done? Or am I wrong?
>
> A policy can set what can be done with certain types of file. i.e. The
> rules can change. That doesn't involve relabelling a file.
>
> Of course there are other things that can change in an update.
>
> As I understand it, if a relabel is required, the update will arrange it
> to happen.
>
Yes updates involve changes to the policy, they almost always involve
additional allow rules. I strive to never take away privs on updates
within a release. Usually there is no new confined domains in an update.
The update also does a diff between the current file context file and
the new file context file and runs restorecon on all differences, so
some relabeling can happen.
An update will never change the enforcing mode, or the policy type, so
if you are permissive you stay permissive, if disabled you stay
disabled, enforcing stays enforcing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkliEZAACgkQrlYvE4MpobPxEgCbB+UFynRPYSDtpKPcH5Pxd1gr
2rcAoMB5KuMuRCT99bXOiX7UEXa5SMdY
=fdod
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list