On Wed, 2016-06-29 at 22:15 +0100, Richard W.M. Jones wrote:
It should be possible to touch /.autorelabel and have the SELinux
labels on the filesystem fixed at next boot.
Fedora 24 shipped with a couple of nasty bugs in /.autorelabel
functionality:
https://bugzilla.redhat.com/show_bug.cgi?id=1351352
https://bugzilla.redhat.com/show_bug.cgi?id=1349586
This is not particularly a new thing. This bug against systemd was
filed a couple of years ago, and still not fixed although the problem
is understood and there is a fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1049656
The general issues are:
(1) Autorelabelling requires that the system is booted up "enough" to
run the fedora-autorelabel.service.
(2) If SELinux is enabled during the boot, then services may fail to
start up correctly because of mislabelled files.
(3) fedora-autorelabel.service requires local-fs.target. This is a
correct dependency, but it also happens quite late -- if you look at
the attached chart you can see that dozens of services need to be
started successfully before we even get to local-fs.target.
(4) If we don't reach the fedora-autorelabel.service then we can be
dumped into a rescue shell, or worse still go into a boot loop.
(5) The fedora-autorelabel.service itself can fail to be run because
SELinux stops systemd from working properly (the cause of
RHBZ#1049656).
(6) A related problem is that the autorelabel doesn't stop other
services from attempting to start while the relabel is happening.
I'm not sure what's a good way to fix it. Some ways I can think of:
(e) Insert your idea here ...
Well, bug #1351352 (which you cited) isn't exactly a bug, but my
suggestion, which isn't quite the same as any of yours (though it's
similar to a couple). My suggestion is to have libselinux look whether
a relabel is planned - by checking for /.autorelabel or 'autorelabel'
on the cmdline, which is what the autorelabel service looks for - and
load in permissive mode if so.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net