On Wed, Jul 06, 2016 at 02:52:34PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote: > > On 07/04/2016 05:34 PM, Richard W.M. Jones wrote: > > > I don't exactly know where to post this, but I guess I have everyone's > > > attention on this thread. > > > > > > Attached are patches which work for me. They could really do with > > > review from someone who knows what they're doing. They also need much > > > more testing than I've done, but I'll be doing that myself later. > > > > > > The first patch (against libselinux) sets SELinux to Permissive mode > > > early in boot if the /.autorelabel file is found (or autorelabel on > > > the command line). > > > > I don't think it's a good idea to change the library this way. It would > > add another configuration point where the mode can be changed and it > > would depend on the service (which can be even masked) from other > > package and if this service didn't clear /.autorelabel the system would > > stay in permissive mode. > > That patch is the answer to the (repeated) bug reports that relabelling > fails if enforcing=1 and the labels are sufficiently messed up. > Doing the relabel in permissive mode, without ever going to enforcing > mode, seems like the most reliable way out in this case. Starting in > enforcing mode first, and then switching back to permissive later > is a complication that increased chances of failure. Upstream SELinux have comprehensively rejected this approach. They do not want to have the presence of /.autorelabel cause SELinux to permissive mode. We might carry my patch downstream (in fedora-selinux.git) but I don't know who manages that repository or where to post patches for it. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
