Bug 119573

Summary: SELinux FAQ - [summarize FAQ change or addition]
Product: [Retired] Fedora Documentation Reporter: Stephen Smalley <sdsmall>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED NOTABUG QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-01 22:48:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Stephen Smalley 2004-03-31 14:22:33 UTC 
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

The FAQ says that a policy update automatically loads the new policy.
 I don't think that this is presently true, although I agree that it
is  the right thing to do.  So either the policy package or the FAQ
need to be changed for consistency.


Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

 for example selinux-faq-1.0 (2004-03-29-T16:20-0800)
Comment 1 Karsten Wade 2004-04-01 19:35:02 UTC 
Is this a non-trival change to policy?  Otherwise, we need to fix the
documentation, even if it's for only a short time; I assume there will
be new policy updates.
Comment 2 Stephen Smalley 2004-04-01 19:37:40 UTC 
Dan made the change to the policy package after I submitted
this entry, so it now reloads policy automatically.  So this
bug can be closed.
Comment 3 Stephen Smalley 2004-04-01 20:01:17 UTC 
A couple lingering items to note:
At times, it won't be possible to automatically reload the policy on
a running system, so the automatic reload may need to be disabled for
certain policy updates.  Examples:
1) Policy version change.  In this case, the kernel needs to be
updated and rebooted before you can load the new policy.  Dependencies
can ensure that kernel is updated first, but not that it is booted.
2) Major policy change that removes or radically changes domains
and requires a reboot to get system daemons into the right domain.

Also, although the policy RPM has been updated to reload policy,
I don't think it is presently relabeling the filesystem upon a policy
update.  So if you change file_contexts, that won't get applied
automatically.  I'm not sure what the right solution is there, e.g.
should we be doing a relabel from the policy package or should rpm
automatically rebuild any affected packages when we change
file_contexts so that the normal package update will handle the new
file contexts?
Comment 4 Karsten Wade 2004-04-01 22:48:45 UTC 
(adding blocker bug 118757 back in for tracking purposes)

How are we going to inform users when they need to do something
manually?  Similarly for all cases, how much can we do automatically?
 How many different scenarios are we supporting?

For the moment, this issue is resolved with respect to the accuracy of
the FAQ.  I'll close to NOTABUG (it was a policy bug, if anything), we
can reopen if the situation changes (wrt Stephen's above comments) or
we can open a new bug to change the FAQ details.