Stephen Smalley wrote:
On Fri, 2004-02-27 at 15:34, John Ellson wrote:OK. A progress indicator and/or a warning that "make relabel" takes
Do I do that before or after rebooting with selinux enabled?
It should work even with selinux=0, as the xattr handlers will still be present in the kernel. The only issue is that a file might get left unlabeled if it is created after the 'make relabel' would have touched it but before you've rebooted with selinux enabled, e.g. files that get created on shutdown. I think that Dan may have plans to catch common cases of that situation using restorecon in init scripts, but I'm not sure.
a long long time would be nice! Also a warning that nothing else
works while it is running would be good. (I tried to fire up another gnome-terminal, but
nothing happened. )
If after, do I log in as a conventional root user, or do I need a different login procedure?
You'll also need to be in the sysadm_r role. Login should prompt you
for a context, and you can also login as a regular user and then su as
usual (su should also prompt for a context).
So I ran "make relabel" with selinux=0, and then immediately rebooted with selinux=1
There are thousands of "avc denied" messages in /var/log/message. Should I be worried?
gdm didn't prompt me for any role information for my regular userid.
Running "su -" in a gnome terminal got me to root also without any request for role information. Is this right for the default Fedora config, or is something not working?
Logging in as root from a text console did offer an opportunity to select a different
role, but it allowed me to accept a default.
John
