targeted policy relabels *everything*?
Tristan Santore
tristan.santore at internexusconnect.net
Wed Nov 26 19:08:20 UTC 2014
On 26/11/14 18:53, m.roth at 5-cent.us wrote:
> Tristan Santore wrote:
>> On 26/11/14 18:44, m.roth at 5-cent.us wrote:
>>> The admin I work with and I have been updated our CentOS servers to 6.6.
>>> One server that's been running for years, with no issues (it is in
>>> permissive, also), got updated...
>>>
>>> Nov 25 17:26:56 Updated: kexec-tools-2.0.0-280.el6.x86_64
>>> <many, many, many lines of asterisks elided>
>>> Nov 26 01:10:52 Updated: selinux-policy-targeted-3.7.19-260.el6.noarch
>>> Nov 26 01:10:56 Updated: coolkey-1.1.0-32.el6.x86_64
>>>
>>> Yes, that *is* about 7.5 *hours* to install that policy. I can only
>>> guess that for some reason, it decided to relabel the *ENTIRE* system.
>>>
>>> Anyone have any idea *why*?
>> Any large SANs mounted ? Or other large data volumes ? Then it could
>> take AGES!
>>
> Nope. A RAID 1 w/ 914G, 37% used. Don't tell me it tried to do any
> NFS-mounted stuff, that I can't believe.
>
> mark
>
<snip RPM SPEC FILE>
%post targeted
packages=`cat /usr/share/selinux/targeted/modules.lst`
if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run 2> /dev/null
else
semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r
audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r
ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec
-r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null
%loadpolicy targeted $packages
%relabel targeted
fi
exit 0
<snip RPM SPEC FILE>
Well, I am not sure and Miroslav and Dan will have to tell you exactly
what goes on, but it does look like it tries to force a full relabel. I
got this from the spec file, but I have never built the selinux-policy
myself, so not sure which %post section actually is applied, but suspect
as that is the targeted package option, it depends on the policy being
built and packaged.
I cannot seem to find the %relabel macro in the docs anywhere though,
probably looking the wrong place.
Dan and Miroslav can probably also clarify if the relabel applies to
remotely mounted storage or if there is an exception there.
I hope this helps.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
More information about the selinux
mailing list