Stephen Harris wrote: > On Fri, May 06, 2011 at 09:45:31AM -0400, Ben M. wrote: >> With CentOS Xen 5.6 (standard installation, SELinux enabled) is there an FAQ or >> general user consensus as to when to do a reboot after what updates? > > In my opinion, is the change sufficiently urgent that existing running > processes need to pick it up? > > For example, a glibc patch means the new glibc will be executed by new > processes, but already running programs will have the old glibc mapped > into memory; if there's a security issue with the old glibc then already > running processes may still be exploitable. > > Another example could be the tzdata patches; if your timezone is > impacted then existing processes may not pick up the changes unless > they're restarted. > > Of course a new kernel doesn't run until you reboot :-) > > I tend to reboot after glibc and kernel patches, but not normally after > any other (but I do restart services as necessary, eg httpd after an > apache patch). > I do same on services, or reboot if convenient. What do you think about SELinux and libvirt updates (in Dom-0)? I see SELinux reinitialized (and locked me out while doing so for a few scary seconds, hahaha)? Would that require a reboot to encompass all that it protects when policies are updated?