I've been having lots of 'fun' between virt-builder and autorelabel lately (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1351352 ). While debugging that, this idea occurred to me, though I don't know if it's practical or if it'd open up exploit holes. The idea's simple. selinux_init_load_policy() currently checks /etc/selinux/config and the kernel cmdline (for 'enforcing') to decide whether to load in permissive or enforcing mode. Could it also check if a relabel is expected - via the presence of /.autorelabel or 'autorelabel' on the cmdline - and load in permissive mode if so? This kinda makes sense to me (if we know the system needs relabelling, then loading in enforcing mode is obviously going to have unpredictable consequences), but I can see drawbacks too...
A fix for this is being discussed somewhere along this thread: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/CHCEGB2RUPHFCE4FVGIRO3CJYGNS75T7/
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.