On Fri, Jul 08, 2016 at 11:50:19AM -0400, Przemek Klosowski wrote:
> On 07/07/2016 04:59 PM, Richard W.M. Jones wrote:
> >On Wed, Jul 06, 2016 at 02:52:34PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> >
> >>That patch is the answer to the (repeated) bug reports that relabelling
> >>fails if enforcing=1 and the labels are sufficiently messed up.
> >>Doing the relabel in permissive mode, without ever going to enforcing
> >>mode, seems like the most reliable way out in this case. Starting in
> >>enforcing mode first, and then switching back to permissive later
> >>is a complication that increased chances of failure.
> >Upstream SELinux have comprehensively rejected this approach.  They do
> >not want to have the presence of /.autorelabel cause SELinux to
> >permissive mode.
> I kind-of understand why they don't like it: "placing an invisible
> object in a special location disables the security system".
> On the other hand, what is their alternative solution?
No solution was offered for the general user-initiated /.autorelabel
case.  Some specific things were talked about for virt-builder but we
cannot use them for misc other reasons.  Here's the upstream thread:



Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
devel mailing list

Reply via email to