-
Bug
-
Resolution: Duplicate
-
Major
-
rhel-10.1
-
None
-
Yes
-
Important
-
rhel-security-selinux
-
2
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Since the rebase of selinux-policy (RHEL-54303), when I touch /.autorelabel and reboot, no autorelabel is performed and the file stays there after reboot.
The problem manifests itself in two ways:
1. when the file is not labelled correctly ( system_u:object_r:unlabeled_t:s0 ), I see this in the log:
audit: type=1400 audit(1754407742.389:4): avc: denied { getattr } for pid=577 comm="selinux-autorel" path="/.autorelabel" dev="dm-0" ino=141918 scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
2. when I label the file correctly ( unconfined_u:object_r:etc_runtime_t:s0 ), I don't see anything relevant in the log.
So far, the only workaround I found is to switch to permissive mode for relabelling, which is hard to automate.
I see some changes to the policy for selinux-relabel-generator:
diff -ur selinux-policy-40.13.35-build/selinux-policy-c1ae4d4d9a09414cc7e1a05649fdd7c595dc27ed/policy/modules/system/selinuxutil.fc selinux-policy-42.1.4-build/selinux-policy-495b780f9c3f97a6e2cb28206d7298ea34becbcb/policy/modules/system/selinuxutil.fc
--- selinux-policy-40.13.35-build/selinux-policy-c1ae4d4d9a09414cc7e1a05649fdd7c595dc27ed/policy/modules/system/selinuxutil.fc 2025-07-02 16:32:53.000000000 +0200
+++ selinux-policy-42.1.4-build/selinux-policy-495b780f9c3f97a6e2cb28206d7298ea34becbcb/policy/modules/system/selinuxutil.fc 2025-07-31 13:32:55.000000000 +0200
@@ -22,13 +22,6 @@
/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
#
-# /sbin
-#
-/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-
-#
# /usr
#
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
@@ -36,16 +29,18 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+/usr/lib/systemd/system-generators/selinux-autorelabel-generator\.sh -- gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0)
+
/usr/libexec/selinux/selinux-autorelabel -- gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
-/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
-/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
-/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
-/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/bin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/bin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/bin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/bin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/bin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/bin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
+/usr/bin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/bin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -62,7 +57,7 @@
# /var/run
#
/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
-
+/run/systemd/generator/selinux-autorelabel\.service\.d(/.*?) gen_context(system_u:object_r:selinux_autorelabel_generator_unit_file_t,s0)
/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff -ur selinux-policy-40.13.35-build/selinux-policy-c1ae4d4d9a09414cc7e1a05649fdd7c595dc27ed/policy/modules/system/selinuxutil.te selinux-policy-42.1.4-build/selinux-policy-495b780f9c3f97a6e2cb28206d7298ea34becbcb/policy/modules/system/selinuxutil.te
--- selinux-policy-40.13.35-build/selinux-policy-c1ae4d4d9a09414cc7e1a05649fdd7c595dc27ed/policy/modules/system/selinuxutil.te 2025-07-02 16:32:53.000000000 +0200
+++ selinux-policy-42.1.4-build/selinux-policy-495b780f9c3f97a6e2cb28206d7298ea34becbcb/policy/modules/system/selinuxutil.te 2025-07-31 13:32:55.000000000 +0200
@@ -142,6 +142,12 @@
domain_entry_file(setfiles_mac_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_mac_t)
+type selinux_autorelabel_generator_t;
+type selinux_autorelabel_generator_exec_t;
+init_system_domain(selinux_autorelabel_generator_t, selinux_autorelabel_generator_exec_t)
+type selinux_autorelabel_generator_unit_file_t;
+files_type(selinux_autorelabel_generator_unit_file_t)
+
########################################
#
# Checkpolicy local policy
@@ -812,3 +818,45 @@
optional_policy(`
policykit_dbus_chat(policy_manager_domain)
')
+
+########################################
+#
+# selinux-relabel-generator local policy
+#
+
+allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:dir manage_dir_perms;
+allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:file manage_file_perms;
+allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:lnk_file manage_lnk_file_perms;
+
+# src:elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
+kernel_read_proc_files(selinux_autorelabel_generator_t)
+
+# src:ln, selinuxenabled, cat
+corecmd_exec_bin(selinux_autorelabel_generator_t)
+
+# src:mkdir -p "$earlydir/selinux-autorelabel.service.d"
+init_filetrans_named_content(selinux_autorelabel_generator_t)
+
+optional_policy(`
+ # src:#!/bin/bash
+ auth_dontaudit_read_passwd_file(selinux_autorelabel_generator_t)
+')
+
+optional_policy(`
+ # src:source /etc/selinux/config
+ seutil_read_config(selinux_autorelabel_generator_t)
+')
+
+optional_policy(`
+ systemd_unit_file(selinux_autorelabel_generator_unit_file_t)
+
+ # src:mkdir -p "$earlydir/selinux-autorelabel.service.d"
+ systemd_unit_file_filetrans(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, dir)
+
+ # src:ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+ systemd_manage_unit_symlinks(selinux_autorelabel_generator_t)
+ systemd_getattr_generic_unit_files(selinux_autorelabel_generator_t)
+
+ # src:cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
+ manage_files_pattern(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, selinux_autorelabel_generator_unit_file_t)
+')
Perhaps that's related, perhaps not.
- is caused by
-
RHEL-54303 Rebase selinux-policy to the newest one available in Fedora 42
-
- Release Pending
-
