Bug 595823

Summary: autorelabel process leave system in permissive state
Product: [Fedora] Fedora Reporter: Vadym Chepkov <vchepkov>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 13CC: bucketofsnow, dwalsh, iarlyy, jonathan, laurent.rineau__fedora, notting, plautrba, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: initscripts-9.12.1-1.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 599879 (view as bug list) Environment:
Last Closed: 2010-07-01 18:46:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 599879    

Description Vadym Chepkov 2010-05-25 17:40:26 UTC
initscripts-9.12-1.fc13.x86_64

# touch /.autorelabel
# reboot

Observe on the console:

...
dracut: Loading SELinux policy
type=1404 audit(1274809124.580:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1403 audit(1274809124.948:3): policy loaded auid=4294967295 ses=4294967295
type=1404 audit(1274809124.954:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
...

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********************************************


# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Comment 1 Bill Nottingham 2010-05-25 18:01:05 UTC
enforcing needs to be off to ensure that autorelabeling works.

It will either reboot (which will go back to enforcing) or explicitly set it back to the prior state before continuing. See rc.sysinit for details.

Comment 2 Vadym Chepkov 2010-05-25 18:10:06 UTC
That what the reason for the bugzilla report
It does not set it back to enforcing after it's done

Comment 3 JR 2010-05-26 23:39:14 UTC
I can confirm this happens when "fixfiles onboot" is used as well.  The same result happens on my x86_64 system and i686 system. (Using either fixfiles onboot or touch /.autorelabel)

Comment 4 Daniel Walsh 2010-05-27 15:46:20 UTC
It is being caused by dracut.

In selinux-loadpolicy.sh  we have


	if [ $ret -eq 0 -o $ret -eq 2 ]; then
	    # If machine requires a relabel, force to permissive mode
	    [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
	    return 0
	fi

Which causes the rc.sysinit to see it in permissive mode.

Comment 5 Daniel Walsh 2010-05-27 15:51:38 UTC
Having dracut set the permissive flag on boot helps in that if /bin/init is mislabeled of /lib and /usr/lib, apps will blow up before the restorecon starts.

But we need to tell init what the state of the box should be from dracut.

Or have the init script figure it out.

We need to check the kernel flag enforcing=0 and the enforcing flag in /etc/selinux/config and set it back to the proper state once the relabel finishes.

Comment 6 Bill Nottingham 2010-05-27 15:58:24 UTC
Alternatively, we could have it *always* reboot. That's a hack, though.

Comment 7 Daniel Walsh 2010-05-27 17:27:49 UTC
Well actually that might be the correct behaviour, since way of knowing whether the rest of the machine was started correctly.   Of course you might end up in an infinite loop of reboots if the autorelabel=1 flag gets added to the /etc/grub.conf.

Comment 8 Bill Nottingham 2010-06-03 20:45:24 UTC
http://git.fedorahosted.org/git?p=initscripts.git;a=commitdiff;h=f6b18247155df53e10d42472eb95d519565eb560

Will be in rawhide, and a future F-13 update.

Comment 9 Fedora Update System 2010-06-24 19:32:24 UTC
initscripts-9.12.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13

Comment 10 Fedora Update System 2010-06-25 18:14:07 UTC
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update initscripts'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13

Comment 11 Fedora Update System 2010-07-01 18:45:24 UTC
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.