Daniel J Walsh <dwa...@redhat.com> wrote on 12/07/2012 10:46:11: > > On 12/07/2012 08:44 AM, Bruno Wolff III wrote: > > On Fri, Dec 07, 2012 at 08:22:10 -0500, john.flor...@dart.biz wrote: > >> > >> Thinking selinux might be preventing the relabel from happening (?!?) I > >> rebooted with selinux=0 so that I could reconfig /etc/sysconfig/selinux > >> having SELINUX=permissive, touched /.autorelabel and rebooted again. > >> This time I saw the relabel process do its thing and trigger a reboot. I > >> then went back to reconfig /etc/sysconfig/selinux having > >> SELINUX=enforcing, rebooted and all seemed well, finally. > > > > The autorelabel is supposed to happen early in the boot process and I think > > it is supposed to work even if you system normally comes up in enforcing > > mode. So that sounds like a bug. > > > > (You can come up in permissive mode using the enforcing=0 kernel parameter. > > This is a bit more convenient in some cases for a one time boot, than > > changing the selinux configuration.) > > > > This is generally the safeest way to relabel as you don't want processes > > that started with the wrong context creating more incorrectly labelled > > files while you are trying to fix things up (with say restorecon). > > > >> So, I'm all good now, but there may be some bugs in that "relabel should > >> happen automatically" bit. -- John Florian > Yes systemd is supposed to set the machine into permissive mode for the > relabel, but I guess if the machine is totally mislabeled, systemd might be > prevented from doing this, although I would figure systemd would be running as > the kernel label. Bottom line this would be difficult to diagnose what > happened to force you to relabel in permissive mode. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with undefined - http://www.enigmail.net/ > > iEYEARECAAYFAlDCD0MACgkQrlYvE4MpobN0gACeIRh+3rBTIXX/GVvxxIrMnvUq > 1EUAoNfsFpd+zYOiPq9h/+fXol6j3mLO > =kYu4 > -----END PGP SIGNATURE-----
I agree this would be hard to diagnose. I doubt I could reproduce the situation given all this poor system has been through. That and I'm already up to my ears in alligators trying to port our software stack over to what's becoming F18. As I stated, it's no longer a problem for me, so I'm happy. I just wanted to make sure those who would want to know had been informed. -- John Florian
-- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
