Bug 2387134
| Summary: | selinux relabel does not work anymore | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ronald Warsow <rwarsow> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 42 | CC: | barry, bojan, dwalsh, lvrabec, mmalik, noloader, omosnacek, pkoncity, robatino, rwarsow, samuel-rhbugs, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-42.5-1.fc42 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-08-12 00:57:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ronald Warsow
2025-08-07 18:27:44 UTC
Discussion on Fedora-Users at <https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/F7YWRAR4OTCUMKEHXG75L6BO4MWOCXTT/>. I have an x86_64 desktop that relabels as expected.
And I have an aarch64 VM running Fedora 42 KDE that reproduces this issue.
On devel list it was suggested by Jason Montleon to check for this in dmesg:
[ 7.492519] audit: type=1400 audit(1754591921.507:4): avc: denied
{ getattr } for pid=682 comm="selinux-autorel" path="/.autorelabel"
dev="dm-0" ino=2370
I do not see that audit report.
I don't have that in dmesg either. This may be a point of interest. Running as root: # systemctl start selinux-autorelabel Does indeed relabel the FS and reboots the machine. The /.autorelabel file is gone on reboot. So, it seems that the problem is that this service is never triggered in the presence of the /.autorelabel file. I think the issue is with the generater not being run at all or failing when it does run. I here see what Bojan found out. Box reboots, but I don't see that relabeling is running indicated by an counter saying: 10 % ... 20 % ...100 % done Box reboots in one go to the login screen. /.autorelabel is removed but no usual : reboot, relabeling with counter, second reboot to login another test: 1. sudo touch /.autorelabel; 2. manual reboot 3. sudo journalctl -b0|grep -i relabel => Aug 08 17:14:58 obelix.fritz.box systemd[1]: Relabeled /dev/, /dev/shm/, /run/ in 6.818ms. Aug 08 17:15:00 obelix.fritz.box systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skipped because of an unmet condition check (ConditionPathExists=!/.autorelabel). /.autorelabel is still there It really is a regression since reworking generators policy in v42.1, the generator does not make the relabel service start, thanks for reporting. You can now try copr build from https://github.com/fedora-selinux/selinux-policy/pull/2826 Checks -> rawhide build FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1 FEDORA-2025-dde3c4a0f1 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dde3c4a0f1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. |