On Thu, 2016-06-30 at 07:34 +0000, Christian Stadelmann wrote: > > It should be possible to touch /.autorelabel and have the SELinux > > labels on the filesystem fixed at next boot. > > […] > > > (a) Configure /etc/selinux/config to set SELinux permissive, and > > modify the fedora-autorelabel.service so it edits /etc/selinux/config > > to re-enable SELinux next time. This editing would have to be > > conditional, and the details are up in the air. Maybe there could be > > a "/.autorelabel-enforce-after-boot" file to do this? > > Setting SELinux to permissive (even for a very short time) seems risky to me. I'd rather not do that. You may not have an option, if the labeling is broken, starting in enforcing may mean you never get to relabel the filesystem as the relabeling tool may fail to start altogether. > > Insert your idea here … > > Do it the same way `dnf system-upgrade` works. The requirements (having local filesystem read- and writable) are quite similar. Or the way PackageKit's system upgrade works… > probably the same as (b) though… This s something I agree with, the system should have an autorelabel target that is one-shot just like the system upgrades, and it should bring up really the minimal system required to boot and mount the filesystem to be relabeled and nothing else, it should work in permissive mode and possibly with auditing enabled. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
