targeted policy relabels *everything*?

[Daniel J Walsh]

On 11/26/2014 02:11 PM, m.roth at 5-cent.us wrote:
> Tristan Santore wrote:
>> On 26/11/14 18:53, m.roth at 5-cent.us wrote:
>>> Tristan Santore wrote:
>>>> On 26/11/14 18:44, m.roth at 5-cent.us wrote:
>>>>> The admin I work with and I have been updated our CentOS servers to
>>>>> 6.6. One server that's been running for years, with no issues (it is in
>>>>> permissive, also), got updated...
>>>>>
>>>>>  Nov 25 17:26:56 Updated: kexec-tools-2.0.0-280.el6.x86_64
>>>>> <many, many, many lines of asterisks elided>
>>>>>  Nov 26 01:10:52 Updated:
>>>>> selinux-policy-targeted-3.7.19-260.el6.noarch
>>>>>  Nov 26 01:10:56 Updated: coolkey-1.1.0-32.el6.x86_64
>>>>>
>>>>> Yes, that *is* about 7.5 *hours* to install that policy. I can only
>>>>> guess that for some reason, it decided to relabel the *ENTIRE* system.
>>>>>
>>>>> Anyone have any idea *why*?
>>>> Any large SANs mounted ? Or other large data volumes ? Then it could
>>>> take AGES!
>>>>
>>> Nope. A RAID 1 w/ 914G, 37% used. Don't tell me it tried to do any
>>> NFS-mounted stuff, that I can't believe.
>>>
>> <snip RPM SPEC FILE>
>> %post targeted
>> packages=`cat /usr/share/selinux/targeted/modules.lst`
>> if [ $1 -eq 1 ]; then
>>    %loadpolicy targeted $packages
>>    restorecon -R /root /var/log /var/run 2> /dev/null
>> else
>>    semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r
>> audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r
>> ModemManager -r telepathysofiasip -r passanger -r rgmanager -r aisexec
>> -r corosync -r pacemaker -r amavis -r clamav -r glusterfs 2>/dev/null
>>    %loadpolicy targeted $packages
>>    %relabel targeted
>> fi
>> exit 0
>> <snip RPM SPEC FILE>
>>
>> Well, I am not sure and Miroslav and Dan will have to tell you exactly
>> what goes on, but it does look like it tries to force a full relabel. I
>> got this from the spec file, but I have never built the selinux-policy
>> myself, so not sure which %post section actually is applied, but suspect
>> as that is the targeted package option, it depends on the policy being
>> built and packaged. I cannot seem to find the %relabel macro in the docs
>> anywhere though, probably looking the wrong place.
>>
> This is a DHCP server, and a number of other things, but....
>
>> Dan and Miroslav can probably also clarify if the relabel applies to
>> remotely mounted storage or if there is an exception there.
>>
>> I hope this helps.
> Thanks.
>
>         mark
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I have no idea why it would have done this.  There is an algorithm that
does a diff between the previous file context and the new and then
relabels the difference. 

This could trigger a relabel of /usr or /var.   The relabel should
figure out you are on a NFS share and bale out.

Are there lots of files on a file system other then an NFS share?