LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices



Reply
 
Search this Thread
Old 01-24-2014, 02:57 PM   #1
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Rep: Reputation: Disabled
How can I prevent SELinix relabeling?


I have VMs that are installed with selinux disabled via my custom kickstart file. However, when I reboot the VMs for the first time, they want to go through the relabeling process. I see these message appear on the console of the VMs when they are booting:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.

This takes a minute or so and then the box reboots, and sometimes I see this message again with another reboot before the box finally comes up. It only appears to happen on the first boot. How can I prevent this relabeling process from ever occurring?
 
Old 01-24-2014, 05:25 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,652

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
disable selinux?
 
Old 01-24-2014, 05:35 PM   #3
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
As I mentioned in my original post, selinux *is* disabled. But for some reason, my system (CentOS 6.4) wants to do this relabeling the first time the system is rebooted. This does not happen during FirstBoot, but during the first reboot.
 
Old 01-26-2014, 12:24 PM   #4
angryfirelord
Member
 
Registered: Dec 2005
Posts: 502

Rep: Reputation: 60
Try this command:
Code:
touch /.autorelabel
Reboot afterwards and see if it goes away.
 
Old 01-27-2014, 08:57 AM   #5
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
I had already tried that and the relabeling is still performed during the first reboot of the system. Technically what I really want is something like .noautorelabel--I want to turn off the relabeling, not trigger it. The relabeling does not occur the first time the VM is booted after it's been installed. It occurs the first time the system is rebooted, even though selinux is disabled. Since it is disabled, you'd think I wouldn't have to do anything to disable the automatic relabeling process--it should be off by default if selinux is disabled. Perhaps I don't fully understand what this relabeling is supposed to accomplish.

Ironically, if I try to perform a relabel manually, it complains that selunix isn't enabled:

Code:
# fixfiles -f -F relabel
Cleaning out /tmp
usage:  /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...
usage:  /sbin/setfiles -c policyfile spec_file
usage:  /sbin/setfiles -s [-dnpqvW] [-o filename ] spec_file
find: invalid predicate -context: SELinux is not enabled.
find: invalid predicate -context: SELinux is not enabled.
 
Old 01-27-2014, 02:57 PM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,619

Rep: Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676
Have you tried adding "selinux=0" as a kernel parameter passed in by the boot loader?
 
Old 01-27-2014, 04:24 PM   #7
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
This has no effect. Here's a snippet of my console output during the reboot:

Code:
                Welcome to CentOS 
Starting udev: G[  OK  ]
Setting hostname pws-03:  [  OK  ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/vda3 
/dev/vda3: clean, 30339/2859008 files, 566926/11419648 blocks
[/sbin/fsck.ext4 (1) -- /boot] fsck.ext4 -a /dev/vda1 
/dev/vda1: clean, 38/31360 files, 30437/124980 blocks
[  OK  ]
Remounting root filesystem in read-write mode:  [  OK  ]
Mounting local filesystems:  [  OK  ]

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
At this point it sits here for a while, and then proceeds with this:
Code:
usage:  /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...
usage:  /sbin/setfiles -c policyfile spec_file
usage:  /sbin/setfiles -s [-dnpqvW] [-o filename ] spec_file
Unmounting file systems
Automatic reboot in progress.
Restarting system.
machine restart
and the system then restarts. I have occasionally seen it go through this relabeling process on the next reboot as well before finally finishing the boot. Seems very odd that this would be happening with SElinux is disabled.
 
Old 01-27-2014, 09:10 PM   #8
John VV
Guru
 
Registered: Aug 2005
Posts: 13,508

Rep: Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804Reputation: 1804
let it do it's job
and rerun the labling
it has to after you make a change

every time you turn it off( setenforce=0) and back on ( reboot) it HAS TO run a check

so let it do it's job.

then ONLY turn off SE when it is 100% NEEDED ( almost never is needed ) and expect the TIME needed to run the check

set SE to "permissive" READ AND FIX -- FIX--- the errors
from "selinuxtroubleshooter"
then set it to ENFORCING and leave it there

Last edited by John VV; 01-27-2014 at 09:14 PM.
 
Old 01-27-2014, 09:22 PM   #9
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,619

Rep: Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676
Examination of /etc/rc.d/rc.sysinit suggests that the existence of a non-empty file /selinux/enforce might cause that. Why that would be the case is not apparent. That file gets written with either a "0" or "1" to control actions during the forced reboots that are sometimes needed for an autorelabel. Whatever empties it is not apparent.

If you never want to use SELinux, you could simply uninstall selinux-policy (which will also take out selinux-policy-targeted and policycoreutils-gui).

Last edited by rknichols; 01-27-2014 at 09:26 PM.
 
Old 01-28-2014, 04:56 PM   #10
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
We have a custom minimal CentOS and we don't want SElinux installed at all. The kickstart document describes the command "selinux --disabled" as "Disables SELinux completely on the system", but this is apparently not the case. I've even tried to explicitly exclude the module "selinux-policy" in the kickstart file but it gets installed anyway.
 
Old 01-28-2014, 05:30 PM   #11
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,619

Rep: Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676
If the installation calls for "selinux-policy-targeted" or "policycoreutils-gui", then the base policy will be installed to satisfy dependencies.
 
Old 01-28-2014, 08:03 PM   #12
berndbausch
Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian
Posts: 265

Rep: Reputation: 46
Quote:
Originally Posted by PeterSteele View Post
We have a custom minimal CentOS and we don't want SElinux installed at all. The kickstart document describes the command "selinux --disabled" as "Disables SELinux completely on the system", but this is apparently not the case. I've even tried to explicitly exclude the module "selinux-policy" in the kickstart file but it gets installed anyway.
While I can't tell what exactly happens when you set selinux --disable, SELinux was obviously installed on your system, perhaps as a dependency of another package. /root/install.log tells you what packages were installed, though it doesn't say why. Perhaps /root/install.log.syslog is more enlightening.
Now that you have SELinux, you can use /etc/selinux/config to persistently disable it.

I am not sure how to completely remove SELinux once it is installed. You may want to start with removing packages like selinux-policy or libselinux-utils.
 
Old 01-29-2014, 11:37 AM   #13
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
I've modified my kickstart file to explicitly exclude selinux from the main set of packages:

%packages --nobase
@core
-selinux-policy-targeted
-selinux-policy

and also include the directives

selinux --disabled
bootloader --location=mbr --append="console=tty0 console=ttyS0,115200 selinux=0"

When my VM comes up sestatus confirms that selinux is disabled:

# sestatus
SELinux status: disabled
# cat /selinux/enforce
0

and the selinux policy modules are definitely not installed (they do not appear in install.log). The system log also confirms it is disabled:

# grep -i selinux /var/log/messages
Jan 29 07:43:31 pws-01 kernel: SELinux: Disabled at boot.

However, the first time I reboot the VM I get this on the console:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
usage: /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...
usage: /sbin/setfiles -c policyfile spec_file
usage: /sbin/setfiles -s [-dnpqvW] [-o filename ] spec_file
Unmounting file systems
Automatic reboot in progress.
Restarting system.
machine restart

and the machine reboots. Fortunately with all of these efforts at disabling SELinux, the system reboot happens immediately. Previously when I hit this the relabeling process took a couple of minutes. At least that's no longer the case and I just have to deal with the extra reboot, which ultimately adds very little time now that the relabeling no longer runs.

I still think there is something screwy here. Why is it even attempting a relabel when clearly SElinux is not active. But, beyond modifying /etc/rc.d/rc.sysinit to disable the relabeling logic, it seems that I've done all I can do so I'll leave it that.
 
Old 02-01-2014, 08:43 AM   #14
angryfirelord
Member
 
Registered: Dec 2005
Posts: 502

Rep: Reputation: 60
The filesystem probably still has the SELinux labels on the files. You can try removing them, but make a backup first because it might break other things.

http://stephane.lesimple.fr/blog/200...ux-labels.html
Code:
# find / -print0 | xargs -r0 setfattr -x security.selinux 2>/dev/null
 
Old 02-01-2014, 01:36 PM   #15
PeterSteele
Member
 
Registered: Jun 2012
Posts: 218

Original Poster
Rep: Reputation: Disabled
These systems are VMs created by an automated kickstart script, so I can play with them as needed. I'll add the setfattr command to the kickstart post install script to see if that does the trick. You'd think that the CentOS installer would not apply SELinux labels to the files during the install if the kickstart script indicates that SELinux is disabled, but clearly the labels *are* being set...

Last edited by PeterSteele; 02-03-2014 at 11:03 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hdd relabeling dev/sdr to dev/sdr1 Jan Tanjo Linux - Hardware 1 02-06-2013 08:25 AM
How to prevent ftp from 1 IP zergling Linux - Networking 5 12-01-2009 02:55 PM
prevent using server IP tieuquaybk Linux - Networking 2 01-16-2007 04:47 PM
Help to prevent a divorce!!! Paulsuk Linux - Software 5 11-20-2005 03:24 AM
prevent an IP to get out? jimval7 Linux - Security 16 05-09-2003 10:58 AM


All times are GMT -5. The time now is 11:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration