Bug 595823
| Summary: | autorelabel process leave system in permissive state | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vadym Chepkov <vchepkov> | |
| Component: | initscripts | Assignee: | Bill Nottingham <notting> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | high | Docs Contact: | ||
| Priority: | low | |||
| Version: | 13 | CC: | bucketofsnow, dwalsh, iarlyy, jonathan, laurent.rineau__fedora, notting, plautrba, rvokal | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | initscripts-9.12.1-1.fc13 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 599879 (view as bug list) | Environment: | ||
| Last Closed: | 2010-07-01 18:46:00 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 599879 | |||
|
Description
Vadym Chepkov
2010-05-25 17:40:26 UTC
enforcing needs to be off to ensure that autorelabeling works. It will either reboot (which will go back to enforcing) or explicitly set it back to the prior state before continuing. See rc.sysinit for details. That what the reason for the bugzilla report It does not set it back to enforcing after it's done I can confirm this happens when "fixfiles onboot" is used as well. The same result happens on my x86_64 system and i686 system. (Using either fixfiles onboot or touch /.autorelabel) It is being caused by dracut. In selinux-loadpolicy.sh we have if [ $ret -eq 0 -o $ret -eq 2 ]; then # If machine requires a relabel, force to permissive mode [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce ) return 0 fi Which causes the rc.sysinit to see it in permissive mode. Having dracut set the permissive flag on boot helps in that if /bin/init is mislabeled of /lib and /usr/lib, apps will blow up before the restorecon starts. But we need to tell init what the state of the box should be from dracut. Or have the init script figure it out. We need to check the kernel flag enforcing=0 and the enforcing flag in /etc/selinux/config and set it back to the proper state once the relabel finishes. Alternatively, we could have it *always* reboot. That's a hack, though. Well actually that might be the correct behaviour, since way of knowing whether the rest of the machine was started correctly. Of course you might end up in an infinite loop of reboots if the autorelabel=1 flag gets added to the /etc/grub.conf. http://git.fedorahosted.org/git?p=initscripts.git;a=commitdiff;h=f6b18247155df53e10d42472eb95d519565eb560 Will be in rawhide, and a future F-13 update. initscripts-9.12.1-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13 initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update initscripts'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13 initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |