Bug 595823 - autorelabel process leave system in permissive state
Summary: autorelabel process leave system in permissive state
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: 13
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 599879
TreeView+ depends on / blocked
 
Reported: 2010-05-25 17:40 UTC by Vadym Chepkov
Modified: 2014-03-17 03:23 UTC (History)
8 users (show)

Fixed In Version: initscripts-9.12.1-1.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 599879 (view as bug list)
Environment:
Last Closed: 2010-07-01 18:46:00 UTC


Attachments (Terms of Use)

Description Vadym Chepkov 2010-05-25 17:40:26 UTC
initscripts-9.12-1.fc13.x86_64

# touch /.autorelabel
# reboot

Observe on the console:

...
dracut: Loading SELinux policy
type=1404 audit(1274809124.580:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
type=1403 audit(1274809124.948:3): policy loaded auid=4294967295 ses=4294967295
type=1404 audit(1274809124.954:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
...

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
***********************************************


# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Comment 1 Bill Nottingham 2010-05-25 18:01:05 UTC
enforcing needs to be off to ensure that autorelabeling works.

It will either reboot (which will go back to enforcing) or explicitly set it back to the prior state before continuing. See rc.sysinit for details.

Comment 2 Vadym Chepkov 2010-05-25 18:10:06 UTC
That what the reason for the bugzilla report
It does not set it back to enforcing after it's done

Comment 3 JR 2010-05-26 23:39:14 UTC
I can confirm this happens when "fixfiles onboot" is used as well.  The same result happens on my x86_64 system and i686 system. (Using either fixfiles onboot or touch /.autorelabel)

Comment 4 Daniel Walsh 2010-05-27 15:46:20 UTC
It is being caused by dracut.

In selinux-loadpolicy.sh  we have


	if [ $ret -eq 0 -o $ret -eq 2 ]; then
	    # If machine requires a relabel, force to permissive mode
	    [ -e "$NEWROOT"/.autorelabel ] && ( echo 0 > "$NEWROOT"/selinux/enforce )
	    return 0
	fi

Which causes the rc.sysinit to see it in permissive mode.

Comment 5 Daniel Walsh 2010-05-27 15:51:38 UTC
Having dracut set the permissive flag on boot helps in that if /bin/init is mislabeled of /lib and /usr/lib, apps will blow up before the restorecon starts.

But we need to tell init what the state of the box should be from dracut.

Or have the init script figure it out.

We need to check the kernel flag enforcing=0 and the enforcing flag in /etc/selinux/config and set it back to the proper state once the relabel finishes.

Comment 6 Bill Nottingham 2010-05-27 15:58:24 UTC
Alternatively, we could have it *always* reboot. That's a hack, though.

Comment 7 Daniel Walsh 2010-05-27 17:27:49 UTC
Well actually that might be the correct behaviour, since way of knowing whether the rest of the machine was started correctly.   Of course you might end up in an infinite loop of reboots if the autorelabel=1 flag gets added to the /etc/grub.conf.

Comment 8 Bill Nottingham 2010-06-03 20:45:24 UTC
http://git.fedorahosted.org/git?p=initscripts.git;a=commitdiff;h=f6b18247155df53e10d42472eb95d519565eb560

Will be in rawhide, and a future F-13 update.

Comment 9 Fedora Update System 2010-06-24 19:32:24 UTC
initscripts-9.12.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13

Comment 10 Fedora Update System 2010-06-25 18:14:07 UTC
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update initscripts'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/initscripts-9.12.1-1.fc13

Comment 11 Fedora Update System 2010-07-01 18:45:24 UTC
initscripts-9.12.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.