SElinux filesystem relabel at boot problem
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 19 13:17:59 UTC 2007
On Thu, 2007-03-15 at 16:58 +0000, Jonathan Underwood wrote:
> On 15/03/07, Peter Smith <peter.smith at utsouthwestern.edu> wrote:
> > Did you go through the correct procedure to kick off the relabel?
> > Creating the specially named file at the top of the root filesystem? If
> > it is relabelling, it will state that it is doing so at boot. It will
> > be quite obvious. You can look at the startup scripts in /etc/rc.d/ to
> > see what makes it happen (rc.local, rc.sysinit, rc).
>
> Yes, I did all the correct things to trigger the relabel - i.e. in
> system-config-securitylevel turned SElinux back to targeted, checked
> that /.autorelabel file was there. The spew of error messages, avc
> permission denied type things happen during the relabel. Prior to that
> happening, I did notice something about not being able to mount /tmp,
> but it flew off the screen too fast.
>
> Anyway, to fix the problem I did this:
> 1) fixfiles -f relabel
> 2) touch /.autorelabel
> 3) reboot
>
> And all was well again. I realize that there's redundancy there, but
> 1) allowed 2) to happen cleanly. What the problem was re3mains a
> mystery though.
It may have encountered a denial before it reached or completed
filesystem relabeling. Next time, boot with "enforcing=0" on that
initial relabel to make sure that it can successfully reach and complete
the filesystem relabeling, then switch to enforcing mode.
--
Stephen Smalley
National Security Agency
More information about the fedora-list
mailing list