initscripts-9.12-1.fc13.x86_64 # touch /.autorelabel # reboot Observe on the console: ... dracut: Loading SELinux policy type=1404 audit(1274809124.580:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 type=1403 audit(1274809124.948:3): policy loaded auid=4294967295 ses=4294967295 type=1404 audit(1274809124.954:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 ... *** Warning -- SELinux targeted policy relabel is required. *** Relabeling could take a very long time, depending on file *** system size and speed of hard drives. *********************************************** # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
enforcing needs to be off to ensure that autorelabeling works. It will either reboot (which will go back to enforcing) or explicitly set it back to the prior state before continuing. See rc.sysinit for details.
That what the reason for the bugzilla report It does not set it back to enforcing after it's done
I can confirm this happens when "fixfiles onboot" is used as well. The same result happens on my x86_64 system and i686 system. (Using either fixfiles onboot or touch /.autorelabel)
It is being caused by dracut. In selinux-loadpolicy.sh we have if [ $ret -eq 0 -o $ret -eq 2 ]; then # If machine requires a relabel, force to permissive mode [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce ) return 0 fi Which causes the rc.sysinit to see it in permissive mode.
Having dracut set the permissive flag on boot helps in that if /bin/init is mislabeled of /lib and /usr/lib, apps will blow up before the restorecon starts. But we need to tell init what the state of the box should be from dracut. Or have the init script figure it out. We need to check the kernel flag enforcing=0 and the enforcing flag in /etc/selinux/config and set it back to the proper state once the relabel finishes.
Alternatively, we could have it *always* reboot. That's a hack, though.
Well actually that might be the correct behaviour, since way of knowing whether the rest of the machine was started correctly. Of course you might end up in an infinite loop of reboots if the autorelabel=1 flag gets added to the /etc/grub.conf.
http://git.fedorahosted.org/git?p=initscripts.git;a=commitdiff;h=f6b18247155df53e10d42472eb95d519565eb560 Will be in rawhide, and a future F-13 update.
initscripts-9.12.1-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update initscripts'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.