Re: Fixing /.autorelabel

On Tue, Jul 12, 2016 at 11:47:56AM +0200, Lennart Poettering wrote: > On Sat, 09.07.16 21:18, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: > > > On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote: > > > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote: >

Re: Fixing /.autorelabel

On Sat, 09.07.16 21:18, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: > On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote: > > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote: > > > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: > > > >On Wed, Jul

Re: Fixing /.autorelabel

On Sat, 09.07.16 17:52, Richard W.M. Jones (rjo...@redhat.com) wrote: > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote: > > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: > > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek > > >wrote: > > > > > >>That

Re: Fixing /.autorelabel

On Sat, 09.07.16 05:31, Peter Robinson (pbrobin...@gmail.com) wrote: > >> >>That patch is the answer to the (repeated) bug reports that relabelling > >> >>fails if enforcing=1 and the labels are sufficiently messed up. > >> >>Doing the relabel in permissive mode, without ever going to enforcing >

Re: Fixing /.autorelabel

On Sat, Jul 09, 2016 at 05:52:52PM +0100, Richard W.M. Jones wrote: > On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote: > > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: > > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek > > >wrote: > > > > > >>That

Re: Fixing /.autorelabel

On Sat, Jul 09, 2016 at 05:31:02AM +0100, Peter Robinson wrote: > >> >>That patch is the answer to the (repeated) bug reports that relabelling > >> >>fails if enforcing=1 and the labels are sufficiently messed up. > >> >>Doing the relabel in permissive mode, without ever going to enforcing > >>

Re: Fixing /.autorelabel

On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote: > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote: > > > >>That patch is the answer to the (repeated) bug reports that relabelling > >>fails if

Re: Fixing /.autorelabel

>> >>That patch is the answer to the (repeated) bug reports that relabelling >> >>fails if enforcing=1 and the labels are sufficiently messed up. >> >>Doing the relabel in permissive mode, without ever going to enforcing >> >>mode, seems like the most reliable way out in this case. Starting in >>

Re: Fixing /.autorelabel

On Fri, 08.07.16 11:50, Przemek Klosowski (przemek.klosow...@nist.gov) wrote: > On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: > >On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote: > > > >>That patch is the answer to the (repeated) bug reports that relabelling >

Re: Fixing /.autorelabel

On 07/07/2016 04:59 PM, Richard W.M. Jones wrote: On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote: That patch is the answer to the (repeated) bug reports that relabelling fails if enforcing=1 and the labels are sufficiently messed up. Doing the relabel in permissive

Re: Fixing /.autorelabel

On Wed, Jul 06, 2016 at 02:52:34PM +, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote: > > On 07/04/2016 05:34 PM, Richard W.M. Jones wrote: > > > I don't exactly know where to post this, but I guess I have everyone's > > > attention on this

Re: Fixing /.autorelabel

On Wed, Jul 06, 2016 at 02:11:31PM +0200, Petr Lautrbach wrote: > On 07/04/2016 05:34 PM, Richard W.M. Jones wrote: > > I don't exactly know where to post this, but I guess I have everyone's > > attention on this thread. > > > > Attached are patches which work for me. They could really do with >

Re: Fixing /.autorelabel

On Sun, 03.07.16 19:19, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote: > On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote: > > On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote: > > > > > > SELinux is in Permissive mode during this time. > > > > > >

Re: Fixing /.autorelabel

On Mon, 2016-07-04 at 22:52 -0500, Bruno Wolff III wrote: > On Mon, Jul 04, 2016 at 10:25:36 -0700, > Adam Williamson wrote: > > > > Do we actually *need* the second patch if we have the first? I mean, my > > suggestion was just to do the first patch; if we do that,

Re: Fixing /.autorelabel

On Mon, Jul 04, 2016 at 10:25:36 -0700, Adam Williamson wrote: Do we actually *need* the second patch if we have the first? I mean, my suggestion was just to do the first patch; if we do that, do we actually need to worry about making the relabel happen any earlier

Re: Fixing /.autorelabel

On Mon, Jul 04, 2016 at 04:34:22PM +0100, Richard W.M. Jones wrote: > I don't exactly know where to post this, but I guess I have everyone's > attention on this thread. > > Attached are patches which work for me. They could really do with > review from someone who knows what they're doing. They

Re: Fixing /.autorelabel

On Mon, Jul 04, 2016 at 10:25:36AM -0700, Adam Williamson wrote: > On Mon, 2016-07-04 at 16:34 +0100, Richard W.M. Jones wrote: > > I don't exactly know where to post this, but I guess I have everyone's > > attention on this thread. > > > > Attached are patches which work for me. They could

Re: Fixing /.autorelabel

On Mon, 2016-07-04 at 16:34 +0100, Richard W.M. Jones wrote: > I don't exactly know where to post this, but I guess I have everyone's > attention on this thread. > > Attached are patches which work for me. They could really do with > review from someone who knows what they're doing. They also

Re: Fixing /.autorelabel

I don't exactly know where to post this, but I guess I have everyone's attention on this thread. Attached are patches which work for me. They could really do with review from someone who knows what they're doing. They also need much more testing than I've done, but I'll be doing that myself

Re: Fixing /.autorelabel

On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote: > On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote: > > > > SELinux is in Permissive mode during this time. > > > > SELinux policy is loaded in systemd on very beginning so unless it's set > > to be permissive

Re: Fixing /.autorelabel

> "PL" == Petr Lautrbach writes: PL> (2) when a generator file was mislabeled it could not be run by PL> systemd as systemd can't read fedora-relabel unit file now Isn't it possible to detect that situation and simply force the relabel? - J< -- devel mailing list

Re: Fixing /.autorelabel

On Thu, 30.06.16 22:27, Petr Lautrbach (plaut...@redhat.com) wrote: > > SELinux is in Permissive mode during this time. > > SELinux policy is loaded in systemd on very beginning so unless it's set > to be permissive in the config file or on the kernel command line, a > system is in enforcing

Re: Fixing /.autorelabel

On Thu, 30.06.16 21:23, Petr Lautrbach (plaut...@redhat.com) wrote: > I like the idea that the relabeling will be isolated in a special > target. And we've recently moved fedora-selinux.service to > policycoreutils so it could live there. > > However, it won't probably fix the following

Re: Fixing /.autorelabel

On 06/30/2016 09:52 PM, Richard W.M. Jones wrote: > On Thu, Jun 30, 2016 at 09:23:45PM +0200, Petr Lautrbach wrote: >> On 06/30/2016 06:13 PM, Lennart Poettering wrote: >>> On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote: >>> >> Insert your idea here … > > Do it the same way

Re: Fixing /.autorelabel

On Thu, Jun 30, 2016 at 09:23:45PM +0200, Petr Lautrbach wrote: > On 06/30/2016 06:13 PM, Lennart Poettering wrote: > > On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote: > > > Insert your idea here … > >>> > >>> Do it the same way `dnf system-upgrade` works. The requirements

Re: Fixing /.autorelabel

On 06/30/2016 06:13 PM, Lennart Poettering wrote: > On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote: > Insert your idea here … >>> >>> Do it the same way `dnf system-upgrade` works. The requirements (having >>> local filesystem read- and writable) are quite similar. Or the way

Re: Fixing /.autorelabel

On Thu, 30.06.16 10:45, Simo Sorce (s...@redhat.com) wrote: > > > Insert your idea here … > > > > Do it the same way `dnf system-upgrade` works. The requirements (having > > local filesystem read- and writable) are quite similar. Or the way > > PackageKit's system upgrade works… > > probably

Re: Fixing /.autorelabel

On Thu, 2016-06-30 at 07:34 +, Christian Stadelmann wrote: > > It should be possible to touch /.autorelabel and have the SELinux > > labels on the filesystem fixed at next boot. > > […] > > > (a) Configure /etc/selinux/config to set SELinux permissive, and > > modify the

Re: Fixing /.autorelabel

On 06/30/2016 09:34 AM, Christian Stadelmann wrote: Setting SELinux to permissive (even for a very short time) seems risky to me. I'd rather not do that. Is it really substantially more risky than blindly relabeling the file system? Florian -- devel mailing list

Re: Fixing /.autorelabel

> It should be possible to touch /.autorelabel and have the SELinux > labels on the filesystem fixed at next boot. […] > (a) Configure /etc/selinux/config to set SELinux permissive, and > modify the fedora-autorelabel.service so it edits /etc/selinux/config > to re-enable SELinux next time.

Re: Fixing /.autorelabel

On Wed, 2016-06-29 at 22:15 +0100, Richard W.M. Jones wrote: > It should be possible to touch /.autorelabel and have the SELinux > labels on the filesystem fixed at next boot. > > Fedora 24 shipped with a couple of nasty bugs in /.autorelabel > functionality: > >

Fixing /.autorelabel

It should be possible to touch /.autorelabel and have the SELinux labels on the filesystem fixed at next boot. Fedora 24 shipped with a couple of nasty bugs in /.autorelabel functionality: https://bugzilla.redhat.com/show_bug.cgi?id=1351352 https://bugzilla.redhat.com/show_bug.cgi?id=1349586