On Thu, 2006-05-04 at 23:06 -0500, Gene Heskett wrote: > Jim Cornette wrote: > > Tony Nelson wrote: > > > >> SELinux must be active but not enforcing for it to relabel. > >> ____________________________________________________________________ > >> TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> > >> ' <http://www.georgeanelson.com/> > >> > > > > During the development testing phase, selinux was in a state where > > selinux could not even be in permissive mode for booting a kernel. I > > relabeled the system with SELinux completely disabled and in runlevel > > 1 and was able to boot successfully after relabeling the system. > > you could argue that sonce the system goes into relabelling once mode > > is switched from disabled to enabled, either permissive or enforcing, > > relabeling was successful only because of round two relabeling. > > > > If my understanding is correct. relabeling is file system related and > > selinux does not need enabled in order to add content to the file > > system. In order to honor the content within the labled file system, > > selinux must be active. > > If SELinux is active during relabeling, it could prevent file content > > to be added to the filesystem. SELinux governs by the rules written to > > the file system, if I'm on cue. > > > > Jim > > > I'll try it one more time, with it enabled. But it seems to me that if > restorecon cannot access the config file, and here I'm ASSUMING that the > config file in question is /etc/selinux/config, then I doubt seriously > that restorecon can even begin to rectify the problems. > > FWIW, here is an ls -lZa of /etc/selinux/config: > -rw-r--r-- root root system_u:object_r:file_t > /etc/selinux/config > > Is that anywhere near correct? Editing has always been done with vim, > as root. If the system has been relabelled properly, there should be nothing labelled file_t I believe. Try to get SELinux booting in permissive mode, by having: SELINUX=permissive SELINUXTYPE=targeted in /etc/sysconfig/config Try to fix the labels on /etc/selinux: # restorecon -Rv /etc/selinux Reboot, and you should get: # getenforce Permissive When that's working, then try: # touch /.autorelabel and reboot again. I would hope that there is nothing labelled file_t after that. Paul.
