On Thu, 2008-09-18 at 09:17 +1000, Murray McAllister wrote: > Thanks. Should something like this be in the selinux user guide? The > commands above look safe to me - what's the worse that can happen? > > Do problems occur if you don't relabel after the above steps? It could be in the guide, but it better be prefaced with something like I gave it :) The worst that happens is your system completely dies and locks you out the instant you start to install selinux-policy-targeted. If your local customizations caused your shell process to run as a type or user or whatever that isn't defined when you start loading the new policy things could esplode (permissive is a must and should stop you from locking yourself out/failing to actually install the original policy, I'm glad dan remembered) You need to autorelabel because you have no idea what types were valid that are not longer valid (all of those in custom modules you just removed are now invalid) Labeling could be so different that you need to reboot in permissive to even get it boot to the point where it can autorelabel. Perfect steps would be setenforce 0 [run my steps] stop grub and add enforcing=0 finish boot setenforce 1 Do all that and you should be safe :) -Eric -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
