Re: /.autorelabel does not work on all f42 systems

Thu, 07 Aug 2025 13:59:59 -0700 

On Thu, Aug 7, 2025 at 2:13 PM Barry Scott <[email protected]> wrote:
>
> A user on the Fedora users list reported that selinux relabelling
> was not working.
>
> I can reproduce the problem in a F42 KDE aarch64 VM.
> But it works fine on my x86_64 desktop, also F42 KDE.

Is there anything like this in dmesg? If the file was created with an
improper context (if selinux was completely disabled for instance) you
may see something like:
[    7.492519] audit: type=1400 audit(1754591921.507:4): avc:  denied
{ getattr } for  pid=682 comm="selinux-autorel" path="/.autorelabel"
dev="dm-0" ino=2370
scontext=system_u:system_r:selinux_autorelabel_generator_t:s0
tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0

You can reproduce this for yourself:
# touch /.autorelabel
# chcon -t unlabeled_t /.autorelabel

Rebooting you will get an avc and it won't relabel. Booting with
enforcing=0 on the kernel command line, or otherwise setting selinux
permissive, will allow it to relabel.

I just did this on an orange pi 5 (aarch64) running Fedora 42 and it
relabeled fine, so I don't think anything is wrong/different with
Fedora 42 aarch64.

> I got as far as finding the generator script that triggers
> the relabelling.
>
> How can I debug this script?
>
> My guess is that the generator is running in a sandbox.
> Where can I write a log file with /usr/bin/echo to?
> Or is there a better way to log messages?
>
> Barry
>
>
>
> --
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue



-- 
Jason Montleon        | email: [email protected]
Red Hat, Inc.         | gpg key: 0x069E3022
Cell: 508-496-0663    | irc: jmontleo / jmontleon

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to