Re: Fixing /.autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote:
> On 07/04/2016 05:34 PM, Richard W.M. Jones wrote:
> > I don't exactly know where to post this, but I guess I have everyone's
> > attention on this thread.
> > 
> > Attached are patches which work for me.  They could really do with
> > review from someone who knows what they're doing.  They also need much
> > more testing than I've done, but I'll be doing that myself later.
> > 
> > The first patch (against libselinux) sets SELinux to Permissive mode
> > early in boot if the /.autorelabel file is found (or autorelabel on
> > the command line).
> 
> I don't think it's a good idea to change the library this way. It would
> add another configuration point where the mode can be changed and it
> would depend on the service (which can be even masked) from other
> package and if this service didn't clear /.autorelabel the system would
> stay in permissive mode.

That patch is the answer to the (repeated) bug reports that relabelling
fails if enforcing=1 and the labels are sufficiently messed up.
Doing the relabel in permissive mode, without ever going to enforcing
mode, seems like the most reliable way out in this case. Starting in
enforcing mode first, and then switching back to permissive later
is a complication that increased chances of failure.

Zbyszek

> > The second patch (against policycoreutils in Fedora) implements the
> > generator itself.
> 
> It looks good. I can apply/use it when I'm back.
> 
> > Some problems I found:
> > 
> >  - It would be nice if systemd defined a %{_generatorsdir} RPM macro.
> > 
> >  - I couldn't get it to work only depending on local-fs.target.  I had
> >    to depend on sysinit.target.  With local-fs.target, /boot could not
> >    be mounted, so there may be something broken/missing in
> >    local-fs.target.
> > 
> >  - There seems to be no upstream for selinux-autorelabel* since it was
> >    moved from systemd.  It looks like the only upstream is Fedora's
> >    policycoreutils itself.  Maybe I missed something there.
> 
> selinux-autorelabel* were moved from initscripts and the only upstream
> is Fedora now.
> 
> Note: I'm on the vacation from 2016-07-01 till 2016-07-10 with limited
> access to the Internet.
> 
> Petr
> -- 
> Petr Lautrbach
> 
> 


--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux