On Thu, 2006-04-27 at 04:50 +1000, Michael D. Setzer II wrote: > I've noteced that if I do a yumex update with selinux set, the background > screen will show post scriptlet errors, but saw an ealier message about > disabling selinux before doing the update shows no errors, but then after re- > enabling it afterwards causes it to have to redo the selinux on the next boot. > > I am using the FC5 in my classroom, so have no problems with doing it, but > was wondering what the post scriptlet problems would cause. If you don't > look at the background screen, there is no indication of these errors, so > some might not notice them. Are these errrors a problem, or could they be > ignored? Is there any problem with disabling selinux, doing the updates, and > then re-enabling it? There's probably a terminology issue here. Truly disabling SELinux prevents proper file labels being assigned to files, which is why you need to relabel the system after re-enabling SELinux. You can avoid this by simply changing from "enforcing" mode to "permissive" mode whilst you run yumex. This results in SELinux denials being logged, but the action is allowed to take place anyway. You can then re-enable enforcing mode and there's no need to relabel. The sequence is: # setenforce 0 # yumex # setenforce 1 Failure of scriptlets can sometimes be harmless (e.g. updating an icon cache that will get updated when the next package is installed) or sometimes be serious (e.g. not creating a user account necessary for the application to run, resulting in files being installed with the wrong permissions and the application not working). I think the problem with yumex and SELinux may be resolved in the latest versions of yumex/selinux-policy actually, but I'm not sure if they are available on the mirrors yet. Paul.
