On Mon, Nov 4, 2013 at 3:42 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> In Gentoo, we try to only install the SELinux policies related to the >> package that is installed. So if a system does not have a web server, no >> httpd policies are loaded. [...] > And how do you handle the problem of removing policy when packages get > removed? What happens to the programs content? Good point. We don't handle that - if the package is removed and no other package exists that has a dependency on the SELinux policy, then the SELinux policy is also removed. Which invalidates the contexts of the files. I reckon that users who hit issues with that would relabel the files, which usually labels them to the "parent" type (such as var_t for things in /var/www then). But I have not received such case(s) for review yet. Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
