Red Hat Bugzilla – Bug 166079
SELinux relabelling broke system
Last modified: 2007-11-30 17:11:11 EST
Description of problem:
FC4 box, booted a non SELinux kernel on it for testing stuff. I then booted back
into FC4. It rudely and without asking announced it was going to waste half an
hour of my time relabelling the disk unneccessarily. To add insult to injury the
system then reported "Permission denied" whenever I tried to log in.
If I boot with selinux=0 it is happy so the permission errors are coming from
SELinux having broken the system.
What avc messages did you see when you tried to login? If you boot with
enforcing=0 you can still log in and the AVC message will still be recorded.
The reason it tried to relabel was that it has no idea what files were created
during the period when you were running without SELinux enabled. So it needs to
clean up. I know of know other way of doing this. Of course if the system is
still hosed after you relabel, that is a major bug.
It also has no idea if the policy relabelling will produce the correct result
for moved files, so to do it without asking is rude.
Ok the only thing I saw with selinux on was "permission denied". I'll go try and
repeat the mess now.
Ok went through the cause a relabel cycle again and this time its decided to be
annoying by working perfectly. No idea what has changed.
This was fixed post-FC4 to reboot after relabeling; otherwise, you could end up
in the state where it relabeled, but since init, udev, etc. was done
pre-relabel, the contexts on your devices for login wouldn't be correct. (As I