On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote: > > > Insert your idea here … > > > > Do it the same way `dnf system-upgrade` works. The requirements (having > > local filesystem read- and writable) are quite similar. Or the way > > PackageKit's system upgrade works… > > probably the same as (b) though… > > This s something I agree with, the system should have an autorelabel > target that is one-shot just like the system upgrades, and it should > bring up really the minimal system required to boot and mount the > filesystem to be relabeled and nothing else, it should work in > permissive mode and possibly with auditing enabled.
Yeah, I agree. My suggestion would be for SELinux to provide a systemd "Generator" tool (see systemd.generator(7) for details) that checks for the auorelabel flag file or kernel comand line option and then diverts the boot into a special relabel target that pulls in local-fs.target and very little else, then does its relabelling and reboots again. During all of this selinux should be in permissive mode, after all the labels are generally borked if you boot into this mode, and hence not suitable for making security decisions. Pretty much all of that should live in some selinux package I figure. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
