Hi, Can I get some comments here? I'm starting to do some tests with 2021.08 and I find unlabeled stuff like the following ones: [ 10.534555] SELinux: Context Default is not valid (left unmapped). [ 10.562318] audit: type=1400 audit(1632913977.130:4): avc: denied { read } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default" [ 10.579085] audit: type=1400 audit(1632913977.146:5): avc: denied { open } for pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Def" [ 10.594226] audit: type=1400 audit(1632913977.146:6): avc: denied { getattr } for pid=108 comm="auditd" path="/var/log/audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="" [ 10.610371] audit: type=1400 audit(1632913977.146:7): avc: denied { search } for pid=108 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default" [ 10.629470] audit: type=1400 audit(1632913977.197:8): avc: denied { setattr } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default" [ 10.646993] audit: type=1400 audit(1632913977.214:9): avc: denied { write } for pid=109 comm="auditd" name="audit" dev="vda" ino=16387 scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default" [ 10.662781] audit: type=1400 audit(1632913977.214:10): avc: denied { add_name } for pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 trawcon="Default" [ 10.677266] audit: type=1400 audit(1632913977.214:11): avc: denied { create } for pid=109 comm="auditd" name="audit.log" scontext=system_u:system_r:auditd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 These makes me think adding some via to handle the autorelabel mechanism is still needed. Best regards. José. On Tue, Sep 7, 2021 at 3:58 PM José Pekkarinen wrote: > This patch adds a system service to check whether the > autorelabel via is requested or not, and produce the > labeling of the system under the loaded final kernel, > including automatically populated fs by the kernel. > > Signed-off-by: José Pekkarinen > --- > .../policycoreutils/S00selinux-autorelabel | 49 +++++++++++++++++++ > package/policycoreutils/policycoreutils.mk | 5 ++ > 2 files changed, 54 insertions(+) > create mode 100644 package/policycoreutils/S00selinux-autorelabel > > diff --git a/package/policycoreutils/S00selinux-autorelabel > b/package/policycoreutils/S00selinux-autorelabel > new file mode 100644 > index 0000000000..7a47db891f > --- /dev/null > +++ b/package/policycoreutils/S00selinux-autorelabel > @@ -0,0 +1,49 @@ > +#!/bin/sh > + > +DAEMON="Autorelabel check" > + > +start() { > + printf 'Starting %s: ' "$DAEMON" > + > + if [ -f /.autorelabel ]; then > + echo "Relabeling" > + echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is > required." > + echo "*** Relabeling could take a very long time, depending on > file" > + echo "*** system size and speed of hard drives." > + mount -a > + setfiles -m -r / > + > + # Remove label > + rm -f /.autorelabel || failed "Failed to remove the autorelabel > flag" > + > + # Reboot to activate relabeled file system > + echo "Automatic reboot in progress." > + reboot -f > + fi > + > + echo "OK" > + return 0 > +} > + > +stop() { > + printf 'Stopping %s: ' "$DAEMON" > + echo "OK" > + return 0 > +} > + > +restart() { > + stop > + sleep 1 > + start > +} > + > +case "$1" in > + start|stop|restart) > + "$1";; > + reload) > + # Restart, since there is no true "reload" feature. > + restart;; > + *) > + echo "Usage: $0 {start|stop|restart|reload}" > + exit 1 > +esac > diff --git a/package/policycoreutils/policycoreutils.mk > b/package/policycoreutils/policycoreutils.mk > index 5290c5b9f8..f698698059 100644 > --- a/package/policycoreutils/policycoreutils.mk > +++ b/package/policycoreutils/policycoreutils.mk > @@ -93,5 +93,10 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS > ) > endef > > +define POLICYCOREUTILS_INSTALL_INIT_SYSV > + $(INSTALL) -m 0755 -D > package/policycoreutils/S00selinux-autorelabel \ > + $(TARGET_DIR)/etc/init.d/S00selinux-autorelabel > +endef > + > $(eval $(generic-package)) > $(eval $(host-generic-package)) > -- > 2.25.1 > > -- José.