[lug] SElinux Relabel

Maxwell Spangler maxlists at maxwellspangler.com
Thu Oct 24 00:45:14 MDT 2013 

On Thu, 2013-10-24 at 05:22 +0000, stimits at comcast.net wrote:

> One update that I hope helps other people in the future...it turns out
> that if I do disable selinux on my old distribution via the new grub2
> config, that the old distribution does indeed boot up fine. I still
> have not determined if this is due to relabel during fedora 19 install
> when I named extra partitions to mount under /usr/local/old/, or if I
> actually did not have selinux running before. What is obvious is that
> when the fedora 19 installer deals with some combination of figuring
> out how to boot and mount old partitions, that the old system does not
> boot because of changes in selinux-related configuration.
> 
> The best way to deal with it? No idea...but turning off selinux via
> selinux=0 in the kernel parameters of the old distribution grub2 is a
> successful workaround. If I recall correctly (and this install was
> long ago), I probably had selinux set to only warn. I can definitively
> say that the old distribution's grub2 config did NOT disable selinux,
> and that my current new fedora 19 install did not prompt for any kind
> of selinux config or disk relabel.
> 
> I still intend to research the older distribution's selinux settings
> to determine what its intended operation was, so I can figure out if
> it was the new install breaking labels or if it was an issue with the
> boot loader configuration.


If I had to guess, I'd say you booted Fedora 19 and let it see your
Fedora 16 partitions.  Perhaps -- just guessing -- the SELinux labels
changed between 16 and 19 (which is about two years worth of
development.)  So F19 might have modified the labels on F16 files and
when you booted it back into F16, it didn't like that.

You can simply edit /etc/selinux/config finding the line that says
"Enforcing" and change it to "Permissive" or "Disabled" to get around
SELinux issues.

If you want to keep it enabled, I would try this:  (not tested!)

1. Boot your F16 into single user mode

2. Mount the root file system as read-write

# mount -o remount,rw /

3. Use SElinux' restorecon utility to set individual file permissions to
what the booted database's installed base of SELinux labels thinks they
should be.  This would be

# restorecon -R /

I haven't tested this!

4. Reboot and see what Fedora 16 says.
-- 
Maxwell Spangler
========================================================================
Linux System Administration / Virtualization / Development / Computing
Services
Photography / Graphics Design / Writing
Fort Collins, Colorado
http://www.maxwellspangler.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20131024/89f97e30/attachment.html>

More information about the LUG mailing list