NFS Update and SELinux

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richi Plana wrote:
> On Wed, 2007-11-07 at 12:18 -0500, Daniel J Walsh wrote:
>> Richi Plana wrote:
>>> I _WAS_ thinking of asking, however, what sort of actions can be placed
>>> in the %post section of packages which need immediate action? I know
>>> some services restart themselves after package updates (but some don't.
>>> I wonder if this should be made policy). In the case of selinux, would a
>>> kernel module reload solve the mislabeled device files? A restart? (I
>>> did notice that at one point in time, I got an advisory to restart the
>>> computer after a set of updates. I can't remember where or what it was
>>> now)
>>> --
>>>
>>> Richi Plana
>>>
>> selinux-policy attempts to fix labeling as it updates.  Most of the time
>> you should/would not need to do anything.  But occasionally restarting
>> domains/programs is necessary.
> 
> Being security-related, shouldn't actions needed to ensure effectivity
> be encouraged? If not a system restart, what about that "domain
> restarting" that you mentioned? How is that performed? Would it cover
> all cases?
> --
> 
> Richi Plana
> 
If a policy update added confinement to an application for example, a
service CONFINEDAPP restart would be required to get the app to run with
the new context.  We do not intend to do this, since restarting the app
might result in loss of data or some other evil thing.  Updating gcc or
glibc has similar problems.  So this is not exclusive to SELinux.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHM2rKrlYvE4MpobMRAsW/AJ99WY96jAlxn0vV+nDgFloQHoYOHwCaA42q
FMKjpHMcHkAZh/yuBX80r0w=
=V+OM
-----END PGP SIGNATURE-----