On Wed, 2012-02-08 at 15:17 -0500, Stephen Smalley wrote:
> On Wed, 2012-02-08 at 11:45 -0800, C.J. Adams-Collier KF7BMP wrote:
> > > > $ locate xserver.pp
> > > > /usr/share/selinux/default/xserver.pp
> > > >
> > > > I'll run semodule -i after this morning's reboot. I installed mutt
> > > > yesterday, so I'll work from the console until you folks sign off for
> > > > the evening.
> > >
> > > I'd suggest installing all of the .pp files to ensure you aren't missing
> > > anything else. The man page for semodule has some examples of how to
> > > install all modules from a directory.
> >
> > What's the best way to do this at boot?
>
> You just do it once and it remains until/unless you remove it with
> semodule -r. No need to do it on each boot. Normally it is done when
> you install the policy package, but since your policy package apparently
> didn't install all modules, I'm suggesting that you do so manually.
>
> cd /usr/share/selinux/default
> ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
> should install them all.
Okay. Do these ever get purged under any other circumstances? I noted
that when I booted without selinux enabled and then with it enabled, the
filesystem was re-labeled. Does anything else get triggered in this
situation? Specifically, do policies get removed?
It looks like the alsa.pp is failing, so my working and slightly
modified command was:
$ pushd /usr/share/selinux/default
$ time sudo \
semodule -i `ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp'`
real 0m24.148s
user 0m23.249s
sys 0m0.628s
This seems like it would take slightly less time than piping the output
of ls to xargs, since it only runs semodule once.
$ time ls *.pp | grep -v -e 'base.pp' -e 'alsa.pp' | \
xargs sudo semodule -b base.pp -i
real 0m25.659s
user 0m24.778s
sys 0m0.660s
But they both get the job done and the difference in run time is very
small.
Attachment:
signature.asc
Description: This is a digitally signed message part
