Bug 166079 - SELinux relabelling broke system
SELinux relabelling broke system
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-16 14:20 EDT by Alan Cox
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 8.16-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-03 17:31:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Cox 2005-08-16 14:20:01 EDT
Description of problem:

FC4 box, booted a non SELinux kernel on it for testing stuff. I then booted back
into FC4. It rudely and without asking announced it was going to waste half an
hour of my time relabelling the disk unneccessarily. To add insult to injury the
system then reported "Permission denied" whenever I tried to log in.

If I boot with selinux=0 it is happy so the permission errors are coming from
SELinux having broken the system.
Comment 1 Daniel Walsh 2005-08-17 09:16:03 EDT
What avc messages did you see when you tried to login?  If you boot with
enforcing=0 you can still log in and the AVC message will still be recorded. 
The reason it tried to relabel was that it has no idea what files were created
during the period when you were running without SELinux enabled.  So it needs to
clean up.   I know of know other way of doing this.  Of course if the system is
still hosed after you relabel, that is a major bug.

Dan
Comment 2 Alan Cox 2005-08-17 10:29:07 EDT
It also has no idea if the policy relabelling will produce the correct result
for moved files, so to do it without asking is rude.

Ok the only thing I saw with selinux on was "permission denied". I'll go try and
repeat the mess now.

Ok went through the cause a relabel cycle again and this time its decided to be
annoying by working perfectly. No idea what has changed.
Comment 3 Bill Nottingham 2005-10-03 17:31:25 EDT
This was fixed post-FC4 to reboot after relabeling; otherwise, you could end up
in the state where it relabeled, but since init, udev, etc. was done
pre-relabel, the contexts on your devices for login wouldn't be correct. (As I
understand it.)

Note You need to log in before you can comment on or make changes to this bug.