On Thu, 30.06.16 21:23, Petr Lautrbach (plaut...@redhat.com) wrote: > I like the idea that the relabeling will be isolated in a special > target. And we've recently moved fedora-selinux.service to > policycoreutils so it could live there. > > However, it won't probably fix the following problems: > > (2) when a generator file was mislabeled it could not be run by systemd > as systemd can't read fedora-relabel unit file now
All that's necessary is that somehow SELinux is automatically booted into permissive mode if the autorelabel cmdline option/flag file exists, and this could be implemented either in libselinux or even in said generator as long as the generator is also packaged up into the initrd, and thus can run from there, i.e. *before* the selinux policy is loaded and put into effect. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
