It should be possible to touch /.autorelabel and have the SELinux labels on the filesystem fixed at next boot. Fedora 24 shipped with a couple of nasty bugs in /.autorelabel functionality: https://bugzilla.redhat.com/show_bug.cgi?id=1351352 https://bugzilla.redhat.com/show_bug.cgi?id=1349586 This is not particularly a new thing. This bug against systemd was filed a couple of years ago, and still not fixed although the problem is understood and there is a fix: https://bugzilla.redhat.com/show_bug.cgi?id=1049656 The general issues are: (1) Autorelabelling requires that the system is booted up "enough" to run the fedora-autorelabel.service. (2) If SELinux is enabled during the boot, then services may fail to start up correctly because of mislabelled files. (3) fedora-autorelabel.service requires local-fs.target. This is a correct dependency, but it also happens quite late -- if you look at the attached chart you can see that dozens of services need to be started successfully before we even get to local-fs.target. (4) If we don't reach the fedora-autorelabel.service then we can be dumped into a rescue shell, or worse still go into a boot loop. (5) The fedora-autorelabel.service itself can fail to be run because SELinux stops systemd from working properly (the cause of RHBZ#1049656). (6) A related problem is that the autorelabel doesn't stop other services from attempting to start while the relabel is happening. I'm not sure what's a good way to fix it. Some ways I can think of: (a) Configure /etc/selinux/config to set SELinux permissive, and modify the fedora-autorelabel.service so it edits /etc/selinux/config to re-enable SELinux next time. This editing would have to be conditional, and the details are up in the air. Maybe there could be a "/.autorelabel-enforce-after-boot" file to do this? [Note these are for VM images, so we cannot have "special" boot flags that the user must set and modify, it must all happen automatically] (b) Introduce some shortcut, low level, very minimal default target which systemd uses when it sees the /.autorelabel file. This was basically what sysvinit used to do - the /.autorelabel file was processed specially very early in the boot scripts. (c) Instead of touching the file, set the default.target to some special target. The problem with this is we want to replace default.target with the normal one after the autorelabel completes successfully, and I've no idea how to do that. (d) Combine setting SELinux to enforcing with checking for /.autorelabel. If whatever it is that reads /etc/selinux/config notices that the /.autorelabel file exists, it should do the autorelabel before setting SELinux to enforcing. (e) Insert your idea here ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html
Attachment:
plot.svg
Description: image/svg
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
