On 6/19/07, Tony Nelson <tonynelson@xxxxxxxxxxxxxxxxx> wrote:
Again you state the obvious. Do you know what happens if SELinux is in enforcing mode when relabeling?
Yes ... it relabels. I have done so many times ... especially during quick policy churns in Rawhide test releases. I'm sorry that my response trying to help was unhelpful. Please ignore me in the future rather than giving a rude response. However, it would be more preferable to give a thoughtful response that tries to bridge the difficult communication gap that arises from having discussions with limited context. I have never had any problems with SELinux that have prevented booting. I also have never had any problems with SELinux autorelabelling with enforcing enabled. In my reading of this mailing list since SELinux was introduced, I have found that people having trouble with SELinux mainly fall into two categories. Either they are noobs blindly trying to run a precompiled app that they unpacked from a tarball or they are old-school *nix hackers who are blindly trying to run an app that they built from a tarball or have made some customization to make their system resemble the way "things used to be done in the olden-days". What I was thinking in my response but perhaps not suggesting explicitly was either: 1) touching the .autolabel file after you booted with enforcing off and rebooting with enforcing off to avoid the need for a RescueCD or 2) just putting *both* parameters that Daniel told you about (enforcing=0 and autorelabel=1) in the grub entry at boot time to avoid the need for a RescueCD. Because while Tim thinks that booting from a RescueCD might have other advantages, I would think that it might have many hidden disadvantages from a SELinux point of view that seem to always arise when you are trying to do things outside the scope of SELinux with an older kernel on a sub-directory-mounted or chrooted root filesystem. This is likely where the *nix gurus get tripped up with SELinux as they instantly turn to their old toolbag when things break ... and their old tools stomp all over SELinux in knowing nothing of it. /Mike
