Red HatThis forum is for the discussion of Red Hat Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have VMs that are installed with selinux disabled via my custom kickstart file. However, when I reboot the VMs for the first time, they want to go through the relabeling process. I see these message appear on the console of the VMs when they are booting:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
This takes a minute or so and then the box reboots, and sometimes I see this message again with another reboot before the box finally comes up. It only appears to happen on the first boot. How can I prevent this relabeling process from ever occurring?
As I mentioned in my original post, selinux *is* disabled. But for some reason, my system (CentOS 6.4) wants to do this relabeling the first time the system is rebooted. This does not happen during FirstBoot, but during the first reboot.
I had already tried that and the relabeling is still performed during the first reboot of the system. Technically what I really want is something like .noautorelabel--I want to turn off the relabeling, not trigger it. The relabeling does not occur the first time the VM is booted after it's been installed. It occurs the first time the system is rebooted, even though selinux is disabled. Since it is disabled, you'd think I wouldn't have to do anything to disable the automatic relabeling process--it should be off by default if selinux is disabled. Perhaps I don't fully understand what this relabeling is supposed to accomplish.
Ironically, if I try to perform a relabel manually, it complains that selunix isn't enabled:
Code:
# fixfiles -f -F relabel
Cleaning out /tmp
usage: /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...
usage: /sbin/setfiles -c policyfile spec_file
usage: /sbin/setfiles -s [-dnpqvW] [-o filename ] spec_file
find: invalid predicate -context: SELinux is not enabled.
find: invalid predicate -context: SELinux is not enabled.
This has no effect. Here's a snippet of my console output during the reboot:
Code:
Welcome to CentOS
Starting udev: G[ OK ]
Setting hostname pws-03: [ OK ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext4 (1) -- /] fsck.ext4 -a /dev/vda3
/dev/vda3: clean, 30339/2859008 files, 566926/11419648 blocks
[/sbin/fsck.ext4 (1) -- /boot] fsck.ext4 -a /dev/vda1
/dev/vda1: clean, 38/31360 files, 30437/124980 blocks
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
Mounting local filesystems: [ OK ]
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
At this point it sits here for a while, and then proceeds with this:
and the system then restarts. I have occasionally seen it go through this relabeling process on the next reboot as well before finally finishing the boot. Seems very odd that this would be happening with SElinux is disabled.
Examination of /etc/rc.d/rc.sysinit suggests that the existence of a non-empty file /selinux/enforce might cause that. Why that would be the case is not apparent. That file gets written with either a "0" or "1" to control actions during the forced reboots that are sometimes needed for an autorelabel. Whatever empties it is not apparent.
If you never want to use SELinux, you could simply uninstall selinux-policy (which will also take out selinux-policy-targeted and policycoreutils-gui).
We have a custom minimal CentOS and we don't want SElinux installed at all. The kickstart document describes the command "selinux --disabled" as "Disables SELinux completely on the system", but this is apparently not the case. I've even tried to explicitly exclude the module "selinux-policy" in the kickstart file but it gets installed anyway.
We have a custom minimal CentOS and we don't want SElinux installed at all. The kickstart document describes the command "selinux --disabled" as "Disables SELinux completely on the system", but this is apparently not the case. I've even tried to explicitly exclude the module "selinux-policy" in the kickstart file but it gets installed anyway.
While I can't tell what exactly happens when you set selinux --disable, SELinux was obviously installed on your system, perhaps as a dependency of another package. /root/install.log tells you what packages were installed, though it doesn't say why. Perhaps /root/install.log.syslog is more enlightening.
Now that you have SELinux, you can use /etc/selinux/config to persistently disable it.
I am not sure how to completely remove SELinux once it is installed. You may want to start with removing packages like selinux-policy or libselinux-utils.
and the selinux policy modules are definitely not installed (they do not appear in install.log). The system log also confirms it is disabled:
# grep -i selinux /var/log/messages
Jan 29 07:43:31 pws-01 kernel: SELinux: Disabled at boot.
However, the first time I reboot the VM I get this on the console:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
usage: /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...
usage: /sbin/setfiles -c policyfile spec_file
usage: /sbin/setfiles -s [-dnpqvW] [-o filename ] spec_file
Unmounting file systems
Automatic reboot in progress.
Restarting system.
machine restart
and the machine reboots. Fortunately with all of these efforts at disabling SELinux, the system reboot happens immediately. Previously when I hit this the relabeling process took a couple of minutes. At least that's no longer the case and I just have to deal with the extra reboot, which ultimately adds very little time now that the relabeling no longer runs.
I still think there is something screwy here. Why is it even attempting a relabel when clearly SElinux is not active. But, beyond modifying /etc/rc.d/rc.sysinit to disable the relabeling logic, it seems that I've done all I can do so I'll leave it that.
The filesystem probably still has the SELinux labels on the files. You can try removing them, but make a backup first because it might break other things.
These systems are VMs created by an automated kickstart script, so I can play with them as needed. I'll add the setfattr command to the kickstart post install script to see if that does the trick. You'd think that the CentOS installer would not apply SELinux labels to the files during the install if the kickstart script indicates that SELinux is disabled, but clearly the labels *are* being set...
Last edited by PeterSteele; 02-03-2014 at 10:03 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.