> On 7 Aug 2025, at 20:03, Jason Montleon <jmont...@redhat.com> wrote: > > On Thu, Aug 7, 2025 at 2:13 PM Barry Scott <ba...@barrys-emacs.org > <mailto:ba...@barrys-emacs.org>> wrote: >> >> A user on the Fedora users list reported that selinux relabelling >> was not working. >> >> I can reproduce the problem in a F42 KDE aarch64 VM. >> But it works fine on my x86_64 desktop, also F42 KDE. > > Is there anything like this in dmesg? If the file was created with an > improper context (if selinux was completely disabled for instance) you > may see something like: > [ 7.492519] audit: type=1400 audit(1754591921.507:4): avc: denied > { getattr } for pid=682 comm="selinux-autorel" path="/.autorelabel" > dev="dm-0" ino=2370 > scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 > tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0
No. All I see is this: $ journalctl -g autorel -b 0 2025-08-08T09:21:01+01:00 systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skip> $ journalctl -g autorel -b -1 2025-08-07T18:57:57+01:00 systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skip> This are the selinux status $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 34 > > You can reproduce this for yourself: > # touch /.autorelabel > # chcon -t unlabeled_t /.auto relabel > > Rebooting you will get an avc and it won't relabel. Booting with > enforcing=0 on the kernel command line, or otherwise setting selinux > permissive, will allow it to relabel. This does not seem to be the cause > > I just did this on an orange pi 5 (aarch64) running Fedora 42 and it > relabeled fine, so I don't think anything is wrong/different with > Fedora 42 aarch64. > >> I got as far as finding the generator script that triggers >> the relabelling. >> >> How can I debug this script? >> >> My guess is that the generator is running in a sandbox. >> Where can I write a log file with /usr/bin/echo to? >> Or is there a better way to log messages? Any suggestions on how to get logs out of the script? Barry >> >> Barry >> >> >> >> -- >> _______________________________________________ >> devel mailing list -- devel@lists.fedoraproject.org >> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > > -- > Jason Montleon | email: jmont...@redhat.com > <mailto:jmont...@redhat.com> > Red Hat, Inc. | gpg key: 0x069E3022 > Cell: 508-496-0663 | irc: jmontleo / jmontleon > > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > <mailto:devel@lists.fedoraproject.org> > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > <mailto:devel-le...@lists.fedoraproject.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
