Fedora Core 2 Test 2 - delayed
Stephen Smalley
sds at epoch.ncsc.mil
Fri Feb 27 20:49:55 UTC 2004
On Fri, 2004-02-27 at 15:34, John Ellson wrote:
> Do I do that before or after rebooting with selinux enabled?
It should work even with selinux=0, as the xattr handlers will still be
present in the kernel. The only issue is that a file might get left
unlabeled if it is created after the 'make relabel' would have touched
it but before you've rebooted with selinux enabled, e.g. files that get
created on shutdown. I think that Dan may have plans to catch common
cases of that situation using restorecon in init scripts, but I'm not
sure.
> If after, do I log in as a conventional root user, or do I need a
> different login procedure?
You'll also need to be in the sysadm_r role. Login should prompt you
for a context, and you can also login as a regular user and then su as
usual (su should also prompt for a context).
> What are "corresponding rpm file contexts state" ? What should I
> look for?
rpm is now aware of file security contexts, so I'm not sure if the rpm
database needs to be rebuilt if you run with selinux=0 for a while (and
install some rpms on that non-SELinux system) and then later enable
SELinux. Jeff?
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-devel-list
mailing list