Red Hat Bugzilla – Bug 155069
selinux-policy-targeted too verbose when updating
Last modified: 2007-11-30 17:11:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Description of problem:
I created this bug report for FC3 and the latest selinux package, but it's a larger issue.
Basically, when doing "yum update", if the selinux packages are updated, a message will be printed on the screen for some files that need to be run through /sbin/restorecon
This is fine in most cases, except when updating a mail server running Postfix with large queues. In that case, a VERY large number of messages will be printed, making the process extremely slow (especially when running yum through SSH over the Internet).
It would be nice if selinux would be more "clever" about which messages need to be printed out.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Discussion thread on fedora-devel-list:
I don't know of a good way to fix this.
Basically policy is doing a fancy diff between
file_context.prior and file_context.new and then doing a
restorecon -R -v on it.
Usually this is only going to change a few contexts and could take a very long
time, since some times the diff comes up with /usr or some other high level
directory. I think the best case if you are worried about this would be
yum -y update > /tmp/yum.log
I just ran into the same problem (on WS4) with the recent
selinux-policy-targeted-1.17.30-2.88.noarch.rpm update. In my case with
partitions not covered by whatever selinux is looking at. A message got printed
for every one of the 100,000 or so non-system files on my computer, like this:
/sbin/restorecon reset context /backup/archive/...
/sbin/restorecon reset context /u/...
Since this never happened before, I of course had no idea I should be "worried"
about it, although I certainly will be in the future. If I had been logged on
to a server over dialup (yes, I have to do this), it would have been a serious
How about making the diff smart enough to do the redirection and only showing
the first and last few lines, instead of surprising us poor ignorant admins? If
it can't be made smart enough to simply ignore the top-level directories that it
doesn't know about, which seems like it would be the ideal.
Thanks for your consideration.