Selinux - touch /.autorelabel before shutting down

Russell Coker russell at coker.com.au
Fri Sep 9 04:45:30 UTC 2005 

On Thursday 08 September 2005 23:52, Jim Cornette 
<fct-cornette at insight.rr.com> wrote:
> After updating from today's rawhide, my computer stopped at "detecting
> hardware. Hitting ctl-c would pass that, but the system was stuck in
> readonly. To get the system to boot, I had to add selinux=0 as a boot
> option.

It would be handy to know which file or files were mis-labeled.  It's possible 
that your system use has revealed a bug, but if so probably your use of 
selinux=0 has destroyed the evidence.

> I had kids playing games and they "shut off the computer" But, I assume
> they hit the power button, which shuts down the system as poweroff would
> do.

Which is supposed to work (IMHO).  I believe that you should be able to press 
reset or experience a power failure at any time without any catastrophic loss 
of data or any security compromise.  Anything which causes a significant data 
loss or security compromise related to a power failure should be considered a 
serious bug.

Touching /.autorelabel before shutdown would be a really bad idea.  A relabel 
of all file systems will take at least 5 minutes on all combinations of 
hardware and install options that I've seen (it's possible that a combination 
of a minimal install and great hardware will take less time).  On some 
combinations of hardware and installation options a relabel will take 30 
minutes or more.  It's possible that some non-optimal configurations will 
take many hours for a relabel (if you have a huge number of files such as a 
file system for Maildir storage then you should use the context= mount option 
to avoid this problem).

Also in FC4 and above you can use the kernel boot parameter "autorelabel" to 
cause a relabel, so if your machine is messed up and you need to relabel 
there is no need to create a file on the file system or boot in permissive 
mode.  You can just use the GRUB options to edit the boot command line.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-test-list mailing list