Bug 722654

Summary: Relabel selinux context to enable selinux again won't start during bootup
Product: [Fedora] Fedora Reporter: hannes <johannes.lips>
Component: systemdAssignee: Lennart Poettering <lpoetter>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, harald, johannbg, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-18 13:19:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
systemctl show fedora-autorelabel.service none

Description hannes 2011-07-16 08:22:43 UTC 
Description of problem:
No matter which way I tried to execute the relabelling nothing happened. I tried
#touch /.autorelabel
and adding autorelabel to the kernel command line.
Currently I am using the following selinux config:
cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

 cat /boot/grub/grub.conf 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,1)
#          kernel /vmlinuz-version ro root=/dev/sda5 rdblacklist=nouveau
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=0
splashimage=(hd0,1)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.38.8-35.fc15.x86_64)
	root (hd0,1)
	kernel /vmlinuz-2.6.38.8-35.fc15.x86_64 ro root=UUID=75484eba-ec19-4b86-ad64-9cb95d0e263c rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc vga=865 KEYTABLE=de-latin1-nodeadkeys noiswmd nouveau.modeset=0 rdblacklist=nouveau quiet
	initrd /initramfs-2.6.38.8-35.fc15.x86_64.img



Version-Release number of selected component (if applicable):
rpm -qa | grep systemd
systemd-gtk-26-8.fc15.x86_64
systemd-units-26-8.fc15.x86_64
systemd-sysv-26-8.fc15.x86_64
systemd-26-8.fc15.x86_64

rpm -qa | grep initscripts
initscripts-9.30-2.fc15.x86_64

rpm -qa | grep selinux
selinux-policy-targeted-3.9.16-32.fc15.noarch
libselinux-python-2.0.99-4.fc15.x86_64
libselinux-2.0.99-4.fc15.x86_64
libselinux-utils-2.0.99-4.fc15.x86_64
selinux-policy-3.9.16-32.fc15.noarch
Comment 1 hannes 2011-07-16 12:04:21 UTC 
Probably related to that bug?
https://bugzilla.redhat.com/show_bug.cgi?id=684125
Comment 2 hannes 2011-07-17 08:40:05 UTC 
I tried to install initscripts-legacy since it provides /etc/rc.sysinit but the result during boot was exactly the same as before.

I don't know if you need more information but I would be glad to provide any additional information.
Comment 3 Michal Schmidt 2011-07-18 12:06:22 UTC 
(In reply to comment #2)
> I tried to install initscripts-legacy since it provides /etc/rc.sysinit but the
> result during boot was exactly the same as before.

The -legacy package should not be necessary. I suggest you to remove it in order to avoid complicating the issue further. 

Please do this:
 touch /.autorelabel && reboot
and then after the reboot, report the results of these commands:
 ls -l /.autorelabel
 getenforce
 systemctl show fedora-autorelabel.service
Comment 4 hannes 2011-07-18 12:21:01 UTC 
Created attachment 513605 [details]
systemctl show fedora-autorelabel.service
Comment 5 hannes 2011-07-18 12:22:11 UTC 
#ls -l /.autorelabel
-rw-rw-r--. 1 root root 0 Jul 18 14:13 /.autorelabel
#getenforce
Permissive

The -legacy package is already removed.
Comment 6 Michal Schmidt 2011-07-18 13:19:29 UTC 
> LoadState=masked
...
> FragmentPath=/dev/null

Please unmask the service. You must have a symlink /etc/systemd/systemd/fedora-autorelabel.service pointing to /dev/null. Delete it.