Bug 1351358

Summary: RFE: Load in permissive mode if relabel is planned?
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: libselinuxAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, plautrba, rjones
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-27 20:14:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2016-06-29 20:47:12 UTC 
I've been having lots of 'fun' between virt-builder and autorelabel lately (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1351352 ). While debugging that, this idea occurred to me, though I don't know if it's practical or if it'd open up exploit holes.

The idea's simple. selinux_init_load_policy() currently checks /etc/selinux/config and the kernel cmdline (for 'enforcing') to decide whether to load in permissive or enforcing mode. Could it also check if a relabel is expected - via the presence of /.autorelabel or 'autorelabel' on the cmdline - and load in permissive mode if so? This kinda makes sense to me (if we know the system needs relabelling, then loading in enforcing mode is obviously going to have unpredictable consequences), but I can see drawbacks too...
Comment 1 Richard W.M. Jones 2016-07-04 20:57:37 UTC 
A fix for this is being discussed somewhere along this thread:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/CHCEGB2RUPHFCE4FVGIRO3CJYGNS75T7/
Comment 2 Fedora Admin XMLRPC Client 2016-12-05 13:55:03 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.