Re: Why did SELinux relable my filesystem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Dec 25, 2013, at 4:25 AM, Steven P. Ulrick <meow8282@xxxxxxxxx> wrote:

> Hello, Everyone
> During my most recent re-boot, SELinux relabled my entire filesystem.
> Which would be fine, except for the fact that I have SELinux disabled
> on my system:
> 
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> #     enforcing - SELinux security policy is enforced.
>> #     permissive - SELinux prints warnings instead of enforcing.
>> #     disabled - No SELinux policy is loaded.
>> SELINUX=disabled
>> # SELINUXTYPE= can take one of these two values:
>> #     targeted - Targeted processes are protected,
>> #     minimum - Modification of targeted policy. Only selected
>> processes are protected. #     mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
> 
> Why did SELinux, which is disabled on my system, spend all that time re-labeling my filesystem?

Upon disabling selinux, the labels were made incorrect as a result, and at the same time /.autorelabel was created to inform a future selinux enabling to know the system needed to be relabeled on boot, because otherwise it probably would have face planted due to the face the labels were made incorrect by disabling selinux.

A recent selinux update apparently causes /etc/sysconfig/selinux to be ignored, therefore your system came up in enforcing mode and was relabeled.

Instead, you should use enforcing=0 as a boot parameter. It can be added to /etc/default/grub, and then use grub2-mkconfig to recreate grub.cfg and make the change persistent. enforcing=0 maintains the correct labels, reports AVC denials, but doesn't actually enforce them.

selinux=0 isn't a good idea. Discussed here:
http://danwalsh.livejournal.com/10972.html


Chris Murphy
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux