On Wed, 10 Mar 2004 12:40, Tom Mitchell <mitch48@xxxxxxxxx> wrote: > The more general question is that for Large Medium and small updates.... > there may always be a question when one or more "makes" in the policy > area will be needed. Is there a good way to check... will make > check-all do the right thing? > > cd /etc/security/selinux/src/policy > make ????? # lots of choices... > make relabel # necessary? when and how to check ... > > Is it necessary/useful to do stuff like this before or after a reboot? > Is there a difference from vanilla in how promptly a reboot and other > housecleaning for SELinux is needed? i.e. will audit go nuts... In general use there should not be any need for a relabel except after severe file system corruption, a backup/restore with non-XATTR aware backup software, or booting a non-SE Linux kernel. > Also I have taken to adding an alternate boot section in > /boot/grub/grub.conf. Is this useful, useless, sane, silly, > underkill, overkill. Thus...: Grub is really good for allowing you to edit the kernel command line before booting it. So if you have problems you can always tell it to boot the kernel with selinux=0 appended even if that is not in your grub.conf. If you accidentally boot a non-SE kernel then /etc/mtab and a few other files will get the wrong label, which will be really annoying for you. We are working on these issues, but in the mean-time you probably don't want to make it too easy to accidentally boot a non-SE kernel. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
