Hi,
I'm struggling to relabel a root filesystem correctly for SELinux.
I've got a system where I've had to copy (rsync) / to a new harddrive. I then changed the UUIDs in /etc/fstab, and the system is booting from the new harddrive. So the labels went missing.
The system does not allow logins if SELinux is enabled, because some files (including systemd-user-session) are labelled incorrectly.
I've tried various ways to get it back, but fixfiles relabel, restorecon -vR / require SELinux enabled, and if I enable it I can't log in to run restorecon.
I've tried /.autorelabel but it appears to be ignored. I've checked some files with 'ls -laZ'.
Any ideas? Berend
Hi. Am Samstag, den 17.03.2018, 17:46 +0200 schrieb Berend De Schouwer:
Hi,
I'm struggling to relabel a root filesystem correctly for SELinux.
I've got a system where I've had to copy (rsync) / to a new harddrive. I then changed the UUIDs in /etc/fstab, and the system is booting from the new harddrive. So the labels went missing.
The system does not allow logins if SELinux is enabled, because some files (including systemd-user-session) are labelled incorrectly.
I've tried various ways to get it back, but fixfiles relabel, restorecon -vR / require SELinux enabled, and if I enable it I can't log in to run restorecon.
I've tried /.autorelabel but it appears to be ignored. I've checked some files with 'ls -laZ'.
Any ideas? Berend
You could enable SELinux in permissive mode, then relabel the FS and reboot in enforcing mode. This SHOULD work.
Regards, Dirk
On Sat, 2018-03-17 at 16:51 +0100, Dirk Gottschalk wrote:
Hi. Am Samstag, den 17.03.2018, 17:46 +0200 schrieb Berend De Schouwer:
Hi,
I'm struggling to relabel a root filesystem correctly for SELinux.
I've got a system where I've had to copy (rsync) / to a new harddrive. I then changed the UUIDs in /etc/fstab, and the system is booting from the new harddrive. So the labels went missing.
The system does not allow logins if SELinux is enabled, because some files (including systemd-user-session) are labelled incorrectly.
I've tried various ways to get it back, but fixfiles relabel, restorecon -vR / require SELinux enabled, and if I enable it I can't log in to run restorecon.
I've tried /.autorelabel but it appears to be ignored. I've checked some files with 'ls -laZ'.
Any ideas? Berend
You could enable SELinux in permissive mode, then relabel the FS and reboot in enforcing mode. This SHOULD work.
That did work, thank you.
-
Berend De Schouwer -
Dirk Gottschalk