Bug 119573 - SELinux FAQ - [summarize FAQ change or addition]
SELinux FAQ - [summarize FAQ change or addition]
Status: CLOSED NOTABUG
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://people.redhat.com/kwade/fedora...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2004-03-31 09:22 EST by Stephen Smalley
Modified: 2007-04-18 13:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-01 17:48:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Smalley 2004-03-31 09:22:33 EST
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

The FAQ says that a policy update automatically loads the new policy.
 I don't think that this is presently true, although I agree that it
is  the right thing to do.  So either the policy package or the FAQ
need to be changed for consistency.


Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

 for example selinux-faq-1.0 (2004-03-29-T16:20-0800)
Comment 1 Karsten Wade 2004-04-01 14:35:02 EST
Is this a non-trival change to policy?  Otherwise, we need to fix the
documentation, even if it's for only a short time; I assume there will
be new policy updates.
Comment 2 Stephen Smalley 2004-04-01 14:37:40 EST
Dan made the change to the policy package after I submitted
this entry, so it now reloads policy automatically.  So this
bug can be closed.
Comment 3 Stephen Smalley 2004-04-01 15:01:17 EST
A couple lingering items to note:
At times, it won't be possible to automatically reload the policy on
a running system, so the automatic reload may need to be disabled for
certain policy updates.  Examples:
1) Policy version change.  In this case, the kernel needs to be
updated and rebooted before you can load the new policy.  Dependencies
can ensure that kernel is updated first, but not that it is booted.
2) Major policy change that removes or radically changes domains
and requires a reboot to get system daemons into the right domain.

Also, although the policy RPM has been updated to reload policy,
I don't think it is presently relabeling the filesystem upon a policy
update.  So if you change file_contexts, that won't get applied
automatically.  I'm not sure what the right solution is there, e.g.
should we be doing a relabel from the policy package or should rpm
automatically rebuild any affected packages when we change
file_contexts so that the normal package update will handle the new
file contexts?
Comment 4 Karsten Wade 2004-04-01 17:48:45 EST
(adding blocker bug 118757 back in for tracking purposes)

How are we going to inform users when they need to do something
manually?  Similarly for all cases, how much can we do automatically?
 How many different scenarios are we supporting?

For the moment, this issue is resolved with respect to the accuracy of
the FAQ.  I'll close to NOTABUG (it was a policy bug, if anything), we
can reopen if the situation changes (wrt Stephen's above comments) or
we can open a new bug to change the FAQ details.

Note You need to log in before you can comment on or make changes to this bug.