From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1 Description of problem: I created this bug report for FC3 and the latest selinux package, but it's a larger issue. Basically, when doing "yum update", if the selinux packages are updated, a message will be printed on the screen for some files that need to be run through /sbin/restorecon This is fine in most cases, except when updating a mail server running Postfix with large queues. In that case, a VERY large number of messages will be printed, making the process extremely slow (especially when running yum through SSH over the Internet). It would be nice if selinux would be more "clever" about which messages need to be printed out. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.96 How reproducible: Always Steps to Reproduce: 1.see above 2. 3. Additional info:
Discussion thread on fedora-devel-list: https://www.redhat.com/archives/fedora-devel-list/2005-April/thread.html#00563
I don't know of a good way to fix this. Basically policy is doing a fancy diff between file_context.prior and file_context.new and then doing a restorecon -R -v on it. Usually this is only going to change a few contexts and could take a very long time, since some times the diff comes up with /usr or some other high level directory. I think the best case if you are worried about this would be yum -y update > /tmp/yum.log
I just ran into the same problem (on WS4) with the recent selinux-policy-targeted-1.17.30-2.88.noarch.rpm update. In my case with partitions not covered by whatever selinux is looking at. A message got printed for every one of the 100,000 or so non-system files on my computer, like this: /sbin/restorecon reset context /backup/archive/... ... /sbin/restorecon reset context /u/... ... Since this never happened before, I of course had no idea I should be "worried" about it, although I certainly will be in the future. If I had been logged on to a server over dialup (yes, I have to do this), it would have been a serious inconvenience. How about making the diff smart enough to do the redirection and only showing the first and last few lines, instead of surprising us poor ignorant admins? If it can't be made smart enough to simply ignore the top-level directories that it doesn't know about, which seems like it would be the ideal. Thanks for your consideration.