On Sat, 31 Jul 2004 05:22, Karsten Wade <kwade@xxxxxxxxxx> wrote: > On Thu, 2004-06-10 at 06:44, Daniel J Walsh wrote: > > After running fixfiles relabel you should always reboot in order to > > start programs under the right context, If you do this in level 5 there > > is a chance the applications will write files out with bad context after > > the relabel, before the reboot. > > Is it sufficient to do this in run level 3? So far it's worked for me, > but is it risky? As has been mentioned 3 is equivalent to 5 for such things. If the machine booted in enforcing mode and was never in permissive mode then the number of programs which could be in the wrong domain and which could create files with the wrong context on shutdown is small. If you are running in permissive mode with bad labelling then it's quite likely that programs are in the wrong domain but the only real problem is /etc/mtab which will have restorecon run on it at boot time. If you change from targetted to strict policy then you can have user processes running in the wrong context. In my lab on writing SE Linux policy at the IBM Technical University the students had a problem because they were using OpenOffice to read the lab notes (didn't have time to get then printed) and when running in unconfined_t OO had created a socket in /tmp which it couldn't access after rebooting in enforcing mode with strict policy. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
