On Wed, 2010-02-17 at 12:09 -0800, Justin P. mattock wrote: > On 02/17/2010 11:58 AM, Stephen Smalley wrote: > > On Wed, 2010-02-17 at 14:37 -0500, Alan Rouse wrote: > >> Oops. > >> > >> I'm a bit confused though. What are the scenarios that trigger an > >> autorelabel? I've not had any luck with the -autorelabel kernel boot > >> parameter, nor with the /.autorelabel flag file. OTOH sometimes when > >> I reboot it (apparently) decides to autorelabel. > > > > In Fedora, automatic relabeling is performed by /etc/rc.d/rc.sysinit. > > It is triggered if SELinux is enabled and either: > > 1) the word "autorelabel" appears as a parameter in the kernel command > > line, or > > 2) a file named "/.autorelabel" exists (in which case the file is then > > removed) > > > > The /.autorelabel file is automatically created by rc.sysinit if you > > ever boot with SELinux disabled so that a subsequent boot with SELinux > > re-enabled will trigger the automatic relabeling as well. > > > > In any event, you can always just run fixfiles -F restore yourself (or > > run 'make relabel' from the refpolicy directory). > > > > > that's right the daemon.. figured they already had that there. > anyways fixfiles works for now(hopefully). > > another thing I'm seeing is > adding a user login to staff_u gives this: > SELinux policy is not managed or store cannot be accessed. > (even after adding seusers). That means your policy wasn't built as modular (MONOLITHIC=n). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
