[CentOS-virt] Package updates and "required" reboots

Fri May 6 15:32:08 UTC 2011
Ben M. <centos at rivint.com>

Stephen Harris wrote:
> On Fri, May 06, 2011 at 09:45:31AM -0400, Ben M. wrote:
>> With CentOS Xen 5.6 (standard installation, SELinux enabled) is there an FAQ or 
>> general user consensus as to when to do a reboot after what updates?
> 
> In my opinion, is the change sufficiently urgent that existing running
> processes need to pick it up?
> 
> For example, a glibc patch means the new glibc will be executed by new
> processes, but already running programs will have the old glibc mapped
> into memory; if there's a security issue with the old glibc then already
> running processes may still be exploitable.
> 
> Another example could be the tzdata patches; if your timezone is
> impacted then existing processes may not pick up the changes unless
> they're restarted.
> 
> Of course a new kernel doesn't run until you reboot :-)
> 
> I tend to reboot after glibc and kernel patches, but not normally after
> any other (but I do restart services as necessary, eg httpd after an
> apache patch).
> 

I do same on services, or reboot if convenient.

What do you think about SELinux and libvirt updates (in Dom-0)?

I see SELinux reinitialized (and locked me out while doing so for a few scary 
seconds, hahaha)? Would that require a reboot to encompass all that it protects 
when policies are updated?