On 07/15/2013 03:00 PM, Daniel J Walsh wrote: > It does a reload > > %post server > /sbin/service auditd reload >/dev/null 2>&1 || : > > %postun server > if [ $1 = 0 ]; then > /sbin/service auditd reload >/dev/null 2>&1 || : > fi It appears that reload just checks the configuration file (and not the new plugins installed). I just did a test (performed a reload) and then checked the access time for sedispatch (it stayed the same). It wasn't until a "service auditd restart" that /etc/audisp/plugins.d/sedispatch.conf changed its access time. Nevertheless, once auditd restarts you still don't get the AVCs on /var/log/messages. In fact, now you get errors when you induce an AVC : Jul 15 15:12:34 server1 sedispatch: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory): AVC Will be dropped ...because messagebus isn't running. Again, this just happens on systems installed with the Minimal option where "dbus", the package that includes messabus, isn't installed. The issue here is that by installing setroubleshoot-server, dbus would be installed as a dependency (and messagebus would stay dormant until a reboot). Going back to the setroubleshoot-server %post script, and considering now the standard-installation systems: Since the %post script already has a "reload", can we change that for a "restart"? Using "reload" is futile since /etc/audit/auditd.conf remains intact after the setroubleshoot-server package installation: nothing is added/changed/removed from auditd.conf. I think the original intention of the "reload" was to pick up the new plugin installed but as we see, it is only a "restart" that does it. > I think this is against packaging standards to start a service that is not > running. I see. That seems about right. Now that I think about it, I wouldn't like a service to be started when I install a package (even worse: to start a service not coming from the package itself). Thanks, Jorge -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
