The autorelabel feature has been broken in Fedora for a while. virt-builder relies on this feature to enable SELinux in guests since we are unable to set filesystem labels when generating the image. So it comes down to me to try to fix this. There was a discussion on the Fedora development list which explains the background and the reasons why autorelabel is broken: http://thread.gmane.org/gmane.linux.redhat.fedora.devel/220453 The plan to fix autorelabel (also formulated in the above thread) is in two parts: (1) [This patch] If the autorelabel condition is detected when loading policy very early during boot, we set SELinux to permissive mode (overriding the contents of /etc/selinux/config and the command line). (2) We install a systemd "generator". If the autorelabel condition is detected, then the generator redirects the default target to a new, very minimal selinux-autorelabel.target. This will relabel the filesystem, remove /.autorelabel and reboot. After the reboot the system will boot normally, with correct filesystem labels and of course with SELinux enabled. During relabelling (unlike currently) only a very minimal set of services are enabled, just enough to be able to mount the filesystem. This should ensure there is no danger from having SELinux permissive while relabelling. This patch is actually against the fedora-selinux.git tree, although it probably applies upstream too. Rich. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
