bootparameter "autorelabel=1" or sudo touch /.autorelabel; does nothing ! Reproducible: Always Steps to Reproduce: 1.sudo touch /.autorelabel and reboot or 2. boot with bootparameter autorelabel=1 and reboot Actual Results: boot runs through no relabeling triggert Expected Results: relabel filesystem Additional Information: on F42: selinux-policy-42.4-1.fc42.noarch and on F43: selinux-policy-42.3-1.fc43.noarch and selinux-policy-42.4-1.fc43.noarch first noticed 1-2 releases before 42.3-1.fc43
Discussion on Fedora-Users at <https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/F7YWRAR4OTCUMKEHXG75L6BO4MWOCXTT/>.
I have an x86_64 desktop that relabels as expected. And I have an aarch64 VM running Fedora 42 KDE that reproduces this issue. On devel list it was suggested by Jason Montleon to check for this in dmesg: [ 7.492519] audit: type=1400 audit(1754591921.507:4): avc: denied { getattr } for pid=682 comm="selinux-autorel" path="/.autorelabel" dev="dm-0" ino=2370 I do not see that audit report.
I don't have that in dmesg either.
This may be a point of interest. Running as root: # systemctl start selinux-autorelabel Does indeed relabel the FS and reboots the machine. The /.autorelabel file is gone on reboot. So, it seems that the problem is that this service is never triggered in the presence of the /.autorelabel file.
I think the issue is with the generater not being run at all or failing when it does run.
I here see what Bojan found out. Box reboots, but I don't see that relabeling is running indicated by an counter saying: 10 % ... 20 % ...100 % done Box reboots in one go to the login screen. /.autorelabel is removed but no usual : reboot, relabeling with counter, second reboot to login
another test: 1. sudo touch /.autorelabel; 2. manual reboot 3. sudo journalctl -b0|grep -i relabel => Aug 08 17:14:58 obelix.fritz.box systemd[1]: Relabeled /dev/, /dev/shm/, /run/ in 6.818ms. Aug 08 17:15:00 obelix.fritz.box systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skipped because of an unmet condition check (ConditionPathExists=!/.autorelabel). /.autorelabel is still there
It really is a regression since reworking generators policy in v42.1, the generator does not make the relabel service start, thanks for reporting. You can now try copr build from https://github.com/fedora-selinux/selinux-policy/pull/2826 Checks -> rawhide build
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1
FEDORA-2025-dde3c4a0f1 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dde3c4a0f1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.