On Tue, 2013-01-29 at 13:28 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/29/2013 11:20 AM, John Reiser wrote: > >>>> A generic fallback image should be installed by anaconda on > >>>> installation/update and never ever be removed. > > > >> Also, fallback has interesting security properties… > > > > > > "Rescue mode" forces a SELinux relabel at the next boot, and relabel can > > take a very long time. > > > > How does "fallback mode" handle this, particularly if there have been > > updates to SELinux policy after the fallback was created? > > > The reason for this is we do not know what files were created on the system > while SELinux was disabled (Policy Not Loaded). If you know you did not > created files on the system you could remove the /.autorelabel file and boot > without a relabel. Can we have a relabel mode that just searches only files changed after a specific date ? If we stored the time of last "good" shutdown somewhere it would mean we might be able to relabel only a minor subset of files, saving a lot of time ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
