On Wed, 2016-06-29 at 22:15 +0100, Richard W.M. Jones wrote: > It should be possible to touch /.autorelabel and have the SELinux > labels on the filesystem fixed at next boot. > > Fedora 24 shipped with a couple of nasty bugs in /.autorelabel > functionality: > > https://bugzilla.redhat.com/show_bug.cgi?id=1351352 > https://bugzilla.redhat.com/show_bug.cgi?id=1349586 > > This is not particularly a new thing. This bug against systemd was > filed a couple of years ago, and still not fixed although the problem > is understood and there is a fix: > > https://bugzilla.redhat.com/show_bug.cgi?id=1049656 > > The general issues are: > > (1) Autorelabelling requires that the system is booted up "enough" to > run the fedora-autorelabel.service. > > (2) If SELinux is enabled during the boot, then services may fail to > start up correctly because of mislabelled files. > > (3) fedora-autorelabel.service requires local-fs.target. This is a > correct dependency, but it also happens quite late -- if you look at > the attached chart you can see that dozens of services need to be > started successfully before we even get to local-fs.target. > > (4) If we don't reach the fedora-autorelabel.service then we can be > dumped into a rescue shell, or worse still go into a boot loop. > > (5) The fedora-autorelabel.service itself can fail to be run because > SELinux stops systemd from working properly (the cause of > RHBZ#1049656). > > (6) A related problem is that the autorelabel doesn't stop other > services from attempting to start while the relabel is happening. > > I'm not sure what's a good way to fix it. Some ways I can think of: > > (e) Insert your idea here ... Well, bug #1351352 (which you cited) isn't exactly a bug, but my suggestion, which isn't quite the same as any of yours (though it's similar to a couple). My suggestion is to have libselinux look whether a relabel is planned - by checking for /.autorelabel or 'autorelabel' on the cmdline, which is what the autorelabel service looks for - and load in permissive mode if so. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
