targeted policy relabels *everything*?

[m.roth at 5-cent.us]

Daniel J Walsh wrote:
>
> On 11/26/2014 02:11 PM, m.roth at 5-cent.us wrote:
>> Tristan Santore wrote:
>>> On 26/11/14 18:53, m.roth at 5-cent.us wrote:
>>>> Tristan Santore wrote:
>>>>> On 26/11/14 18:44, m.roth at 5-cent.us wrote:
>>>>>> The admin I work with and I have been updated our CentOS servers to
>>>>>> 6.6. One server that's been running for years, with no issues (it is
>>>>>> in permissive, also), got updated...
>>>>>>
>>>>>>  Nov 25 17:26:56 Updated: kexec-tools-2.0.0-280.el6.x86_64
>>>>>> <many, many, many lines of asterisks elided>
>>>>>>  Nov 26 01:10:52 Updated:
>>>>>> selinux-policy-targeted-3.7.19-260.el6.noarch
>>>>>>  Nov 26 01:10:56 Updated: coolkey-1.1.0-32.el6.x86_64
>>>>>>
>>>>>> Yes, that *is* about 7.5 *hours* to install that policy. I can only
>>>>>> guess that for some reason, it decided to relabel the *ENTIRE*
>>>>>> system.
<snip>
>>>> Nope. A RAID 1 w/ 914G, 37% used. Don't tell me it tried to do any
>>>> NFS-mounted stuff, that I can't believe.
<snip>
> I have no idea why it would have done this.  There is an algorithm that
> does a diff between the previous file context and the new and then
> relabels the difference.

That's more or less what I thought.
>
> This could trigger a relabel of /usr or /var.   The relabel should
> figure out you are on a NFS share and bale out.
>
> Are there lots of files on a file system other then an NFS share?
>
There are a fair number - find / | wc -l has been running for more than
five minutes now. One thing that is on this system are backups of /etc
from all 170+ servers and workstations, as well as of some home
directories....

But none of our other servers did that, and some include backup of home
directories.

     mark
        mark