Bug 119573 - SELinux FAQ - [summarize FAQ change or addition]
Summary: SELinux FAQ - [summarize FAQ change or addition]
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq
Version: devel
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karsten Wade
QA Contact: Tammy Fox
URL: http://people.redhat.com/kwade/fedora...
Depends On:
Blocks: 118757
TreeView+ depends on / blocked
Reported: 2004-03-31 14:22 UTC by Stephen Smalley
Modified: 2007-04-18 17:05 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2004-04-01 22:48:45 UTC

Attachments (Terms of Use)

Description Stephen Smalley 2004-03-31 14:22:33 UTC
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

The FAQ says that a policy update automatically loads the new policy.
 I don't think that this is presently true, although I agree that it
is  the right thing to do.  So either the policy package or the FAQ
need to be changed for consistency.

Version-Release of FAQ (found on

 for example selinux-faq-1.0 (2004-03-29-T16:20-0800)

Comment 1 Karsten Wade 2004-04-01 19:35:02 UTC
Is this a non-trival change to policy?  Otherwise, we need to fix the
documentation, even if it's for only a short time; I assume there will
be new policy updates.

Comment 2 Stephen Smalley 2004-04-01 19:37:40 UTC
Dan made the change to the policy package after I submitted
this entry, so it now reloads policy automatically.  So this
bug can be closed.

Comment 3 Stephen Smalley 2004-04-01 20:01:17 UTC
A couple lingering items to note:
At times, it won't be possible to automatically reload the policy on
a running system, so the automatic reload may need to be disabled for
certain policy updates.  Examples:
1) Policy version change.  In this case, the kernel needs to be
updated and rebooted before you can load the new policy.  Dependencies
can ensure that kernel is updated first, but not that it is booted.
2) Major policy change that removes or radically changes domains
and requires a reboot to get system daemons into the right domain.

Also, although the policy RPM has been updated to reload policy,
I don't think it is presently relabeling the filesystem upon a policy
update.  So if you change file_contexts, that won't get applied
automatically.  I'm not sure what the right solution is there, e.g.
should we be doing a relabel from the policy package or should rpm
automatically rebuild any affected packages when we change
file_contexts so that the normal package update will handle the new
file contexts?

Comment 4 Karsten Wade 2004-04-01 22:48:45 UTC
(adding blocker bug 118757 back in for tracking purposes)

How are we going to inform users when they need to do something
manually?  Similarly for all cases, how much can we do automatically?
 How many different scenarios are we supporting?

For the moment, this issue is resolved with respect to the accuracy of
the FAQ.  I'll close to NOTABUG (it was a policy bug, if anything), we
can reopen if the situation changes (wrt Stephen's above comments) or
we can open a new bug to change the FAQ details.

Note You need to log in before you can comment on or make changes to this bug.