On 26/11/14 18:53, m.roth@xxxxxxxxx wrote: > Tristan Santore wrote: >> On 26/11/14 18:44, m.roth@xxxxxxxxx wrote: >>> The admin I work with and I have been updated our CentOS servers to 6.6. >>> One server that's been running for years, with no issues (it is in >>> permissive, also), got updated... >>> >>> Nov 25 17:26:56 Updated: kexec-tools-2.0.0-280.el6.x86_64 >>> <many, many, many lines of asterisks elided> >>> Nov 26 01:10:52 Updated: selinux-policy-targeted-3.7.19-260.el6.noarch >>> Nov 26 01:10:56 Updated: coolkey-1.1.0-32.el6.x86_64 >>> >>> Yes, that *is* about 7.5 *hours* to install that policy. I can only >>> guess that for some reason, it decided to relabel the *ENTIRE* system. >>> >>> Anyone have any idea *why*? >> Any large SANs mounted ? Or other large data volumes ? Then it could >> take AGES! >> > Nope. A RAID 1 w/ 914G, 37% used. Don't tell me it tried to do any > NFS-mounted stuff, that I can't believe. > > mark > <snip RPM SPEC FILE> %post targeted packages=`cat /usr/share/selinux/targeted/modules.lst` if [ $1 -eq 1 ]; then %loadpolicy targeted $packages restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null %loadpolicy targeted $packages %relabel targeted fi exit 0 <snip RPM SPEC FILE> Well, I am not sure and Miroslav and Dan will have to tell you exactly what goes on, but it does look like it tries to force a full relabel. I got this from the spec file, but I have never built the selinux-policy myself, so not sure which %post section actually is applied, but suspect as that is the targeted package option, it depends on the policy being built and packaged. I cannot seem to find the %relabel macro in the docs anywhere though, probably looking the wrong place. Dan and Miroslav can probably also clarify if the relabel applies to remotely mounted storage or if there is an exception there. I hope this helps. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
