Bug 2174902 - /.autorelabel leads to selinux-autorelabel.service failure status
Summary: /.autorelabel leads to selinux-autorelabel.service failure status
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: policycoreutils
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-02 15:21 UTC by Orion Poplawski
Modified: 2023-03-03 07:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-03 07:58:33 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-150487 0 None None None 2023-03-02 15:22:47 UTC

Description Orion Poplawski 2023-03-02 15:21:15 UTC
Description of problem:

Did touch /.autorelabel and rebooted.  selinux-autorelabel.service reports a status of failed.

Version-Release number of selected component (if applicable):
policycoreutils-2.9-20.el8.x86_64

How reproducible:
Very

Actual results:
Mar 02 07:00:10 host systemd[1]: Starting Relabel all filesystems...
Mar 02 07:00:10 host selinux-autorelabel[735]: *** Warning -- SELinux targeted policy relabel is required.
Mar 02 07:00:10 host selinux-autorelabel[735]: *** Relabeling could take a very long time, depending on file
Mar 02 07:00:10 host selinux-autorelabel[735]: *** system size and speed of hard drives.
Mar 02 07:00:45 host selinux-autorelabel[1391]: libsemanage.add_user: user cameron-admin not in password file
Mar 02 07:00:45 host selinux-autorelabel[1391]: libsemanage.add_user: user crowe.brian not in password file
Mar 02 07:00:45 host selinux-autorelabel[1391]: libsemanage.add_user: user orion-admin not in password file
Mar 02 07:00:46 host selinux-autorelabel[743]: Warning: Skipping the following R/O filesystems:
Mar 02 07:00:46 host selinux-autorelabel[743]: /sys/fs/cgroup
Mar 02 07:00:46 host selinux-autorelabel[743]: Relabeling / /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /run /sys /sys/fs/cgroup/blkio /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup/cpuset /sys/fs/cgroup/devices /sys/fs/cgroup/freezer /sys/fs/cgroup/hugetlb /sys/fs/cgroup/memory /sys/fs/cgroup/net_cls,net_prio /sys/fs/cgroup/perf_event /sys/fs/cgroup/pids /sys/fs/cgroup/rdma /sys/fs/cgroup/systemd /sys/fs/pstore /sys/kernel/debug /sys/kernel/tracing /tmp
Mar 02 07:03:27 host selinux-autorelabel[1398]: Warning no default label for /dev/mqueue
Mar 02 07:03:27 host selinux-autorelabel[743]: Cleaning up labels on /tmp
Mar 02 07:03:27 host selinux-autorelabel[1430]: Failed to connect to bus: No such file or directory
Mar 02 07:03:27 host systemd[1]: selinux-autorelabel.service: Main process exited, code=killed, status=15/TERM
Mar 02 07:03:27 host systemd[1]: selinux-autorelabel.service: Failed with result 'signal'.
Mar 02 07:03:27 host systemd[1]: Stopped Relabel all filesystems.

Expected results:
No failure status

Comment 1 Petr Lautrbach 2023-03-02 15:35:51 UTC
Please note that autorelabel is supposed to be run in permissive mode. There's no guarantee it would work in enforcing mode - when a system labels are misconfigured it could be blocked by SELinux, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux :

    Before rebooting the system for relabeling, make sure the system will boot in permissive mode, for example by using the enforcing=0 kernel option. This prevents the system from failing to boot in case the system contains unlabeled files required by systemd before launching the selinux-autorelabel service. For more information, see RHBZ#2021835.

Comment 2 Orion Poplawski 2023-03-02 18:48:09 UTC
With booting into permissive mode I don't see the error.  Thank you.  Sorry for the noise.


Note You need to log in before you can comment on or make changes to this bug.