On 7 Aug 2025, at 20:03, Jason Montleon <jmontleo@xxxxxxxxxx> wrote:
On Thu, Aug 7, 2025 at 2:13 PM Barry Scott <barry@xxxxxxxxxxxxxxxx> wrote:
A user on the Fedora users list reported that selinux relabelling
was not working.
I can reproduce the problem in a F42 KDE aarch64 VM.
But it works fine on my x86_64 desktop, also F42 KDE.
Is there anything like this in dmesg? If the file was created with animproper context (if selinux was completely disabled for instance) youmay see something like:[ 7.492519] audit: type=1400 audit(1754591921.507:4): avc: denied{ getattr } for pid=682 comm="selinux-autorel" path="/.autorelabel"dev="dm-0" ino=2370scontext=system_u:system_r:selinux_autorelabel_generator_t:s0tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0
No. All I see is this:
$ journalctl -g autorel -b 0 2025-08-08T09:21:01+01:00 systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skip> $ journalctl -g autorel -b -1 2025-08-07T18:57:57+01:00 systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skip>
This are the selinux status $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 34
You can reproduce this for yourself:
# touch /.autorelabel
# chcon -t unlabeled_t /.auto relabel
Rebooting you will get an avc and it won't relabel. Booting with
enforcing=0 on the kernel command line, or otherwise setting selinux
permissive, will allow it to relabel.
This does not seem to be the cause I just did this on an orange pi 5 (aarch64) running Fedora 42 and itrelabeled fine, so I don't think anything is wrong/different withFedora 42 aarch64.I got as far as finding the generator script that triggers
the relabelling.
How can I debug this script?
My guess is that the generator is running in a sandbox.
Where can I write a log file with /usr/bin/echo to?
Or is there a better way to log messages?
Any suggestions on how to get logs out of the script?
Barry
|
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
