Why did SELinux relable my filesystem?
Chris Murphy
lists at colorremedies.com
Wed Dec 25 23:27:35 UTC 2013
On Dec 25, 2013, at 4:25 AM, Steven P. Ulrick <meow8282 at gmail.com> wrote:
> Hello, Everyone
> During my most recent re-boot, SELinux relabled my entire filesystem.
> Which would be fine, except for the fact that I have SELinux disabled
> on my system:
>
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=disabled
>> # SELINUXTYPE= can take one of these two values:
>> # targeted - Targeted processes are protected,
>> # minimum - Modification of targeted policy. Only selected
>> processes are protected. # mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
>
> Why did SELinux, which is disabled on my system, spend all that time re-labeling my filesystem?
Upon disabling selinux, the labels were made incorrect as a result, and at the same time /.autorelabel was created to inform a future selinux enabling to know the system needed to be relabeled on boot, because otherwise it probably would have face planted due to the face the labels were made incorrect by disabling selinux.
A recent selinux update apparently causes /etc/sysconfig/selinux to be ignored, therefore your system came up in enforcing mode and was relabeled.
Instead, you should use enforcing=0 as a boot parameter. It can be added to /etc/default/grub, and then use grub2-mkconfig to recreate grub.cfg and make the change persistent. enforcing=0 maintains the correct labels, reports AVC denials, but doesn't actually enforce them.
selinux=0 isn't a good idea. Discussed here:
http://danwalsh.livejournal.com/10972.html
Chris Murphy
More information about the users
mailing list