[lug] SElinux Relabel

Orion Poplawski orion at cora.nwra.com
Thu Oct 24 07:49:47 MDT 2013


On 10/24/2013 7:23 AM, stimits at comcast.net wrote:
> ...
>  > If I had to guess, I'd say you booted Fedora 19 and let it see your
> Fedora 16 partitions.  Perhaps -- just guessing -- the SELinux labels
> changed between 16 and 19 (which is > about two years worth of
> development.)  So F19 might have modified the labels on F16 files and
> when you booted it back into F16, it didn't like that.
>
> This seems to be the case. Prior settings did enable targeted selinux,
> and prior boot config did not disable fedora 16. Those partitions were
> mounted on a convenience point during install, and so installation and
> rpm update of fedora 19 would have seen these partitions. Advice to
> others: Do NOT tell an install about any partitions you want to view
> from a past o/s and instead add those mount options after install.

I addition, SELinux labels depend on the file path - so the labels 
appropriate for /usr/local/old are *not* appropriate for a root 
filesystem.

Do not keep different OS filesystems cross mounted.  Mount only when needed.


> I'm going to try this later today, after my bravery increases (I guess I
> should avoid coffee today!). A big question for the people here...since
> I have to boot into this with selinux disabled via a kernel option in
> grub2, will restorecon -R still work as expected? Or if I were to boot
> to the f19 install (or any rescue) and then chroot to the old partition,
> would restorecon -R function correctly using only the older system's config?
>
> I'm assuming that whatever files exist in the old f16 system, that the
> actual f16 rpm config itself did not change, that the fault is relabel
> from the f19 config when it really needed the f16 config present on the
> old f16 install.

If you want to use SELinux, don't ever boot with selinux disabled.  Boot 
with "enforcing=0" (permissive).  If you need to relabel everything do:

touch /.autorelabel

and reboot.




-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com


More information about the LUG mailing list