-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/07/2012 08:44 AM, Bruno Wolff III wrote: > On Fri, Dec 07, 2012 at 08:22:10 -0500, John.Florian@xxxxxxxx wrote: >> >> Thinking selinux might be preventing the relabel from happening (?!?) I >> rebooted with selinux=0 so that I could reconfig /etc/sysconfig/selinux >> having SELINUX=permissive, touched /.autorelabel and rebooted again. >> This time I saw the relabel process do its thing and trigger a reboot. I >> then went back to reconfig /etc/sysconfig/selinux having >> SELINUX=enforcing, rebooted and all seemed well, finally. > > The autorelabel is supposed to happen early in the boot process and I think > it is supposed to work even if you system normally comes up in enforcing > mode. So that sounds like a bug. > > (You can come up in permissive mode using the enforcing=0 kernel parameter. > This is a bit more convenient in some cases for a one time boot, than > changing the selinux configuration.) > > This is generally the safeest way to relabel as you don't want processes > that started with the wrong context creating more incorrectly labelled > files while you are trying to fix things up (with say restorecon). > >> So, I'm all good now, but there may be some bugs in that "relabel should >> happen automatically" bit. -- John Florian Yes systemd is supposed to set the machine into permissive mode for the relabel, but I guess if the machine is totally mislabeled, systemd might be prevented from doing this, although I would figure systemd would be running as the kernel label. Bottom line this would be difficult to diagnose what happened to force you to relabel in permissive mode. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDCD0MACgkQrlYvE4MpobN0gACeIRh+3rBTIXX/GVvxxIrMnvUq 1EUAoNfsFpd+zYOiPq9h/+fXol6j3mLO =kYu4 -----END PGP SIGNATURE----- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
