On Thu, 2016-04-07 at 15:27 -0700, Gordon Messmer wrote: > On 04/07/2016 03:15 PM, William Brown wrote: > > > > When you change from permissive to enforcing, you often need to re-label to > > make > > sure the system is consistent. > From "permissive"? I know that's true if a system is set to enforcing > from "disabled" but I've never seen an indication that switching from > permissive would require a re-label. > > Do you know what would cause permissive mode to mislabel filesystem objects? When you go from disabled to permissive, then to enforcing, this is very true, because then no objects have labels. The issue with permissive to enforcing, is that people may have been mv-ing directories around, putting things in the wrong locations (so they have the correct label for where they are, but wrong relative to the application). There certainly won't be as many issues as disabled -> permissive, but there are still enough subtle things that can change an go wrong, that it's worth the relabel to be sure that your issues going from perm -> enforce are not related to mislabeling, but perhaps other issues. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
