autorelabel loops in system executed 'semodule -d unconfined'

autorelabel loops in system executed 'semodule -d unconfined'

[Shintaro Fujiwara]

[-- Attachment #1: Type: text/plain, Size: 261 bytes --]

Hello, SELinux.

I was playing with my F28 latest with 'semodle -d unconfined'.
I executed this and relabeling starts even after finished relebeling
and looks like going into the loop.
# touch /.autorelabel
# shtudown -r now

I have attached a picure.

Thanks.

[-- Attachment #2: SELinu_relabel_fails_after_deleting_unconfiled_module.png --]
[-- Type: image/png, Size: 6335 bytes --]

Re: autorelabel loops in system executed 'semodule -d unconfined'

[Shintaro Fujiwara]

[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]

Hi, SELinux.

I captured a picture saying this.

rm: cannot remove '/.autorelabel' : Permission denied

/.autorelabel could not be removed, so going into the loop, I guess.

How can I autorelabel properly even if I delete unconfined module?

Thanks.
2018年9月25日(火) 6:55 Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
>
> Hello, SELinux.
>
> I was playing with my F28 latest with 'semodle -d unconfined'.
> I executed this and relabeling starts even after finished relebeling
> and looks like going into the loop.
> # touch /.autorelabel
> # shtudown -r now
>
> I have attached a picure.
>
> Thanks.



-- 
Help analyzing sar file
https://github.com/intrajp/sar-analyzer

LFS Scripts will make Linux From Scratch easy
https://github.com/intrajp/LFS-scripts-systemd

SHIRASAGI-hardening Project
https://github.com/intrajp/shirasagi-hardening

Linux Distribution Project
http://sourceforge.net/projects/pinkrabbitlinux/

Introducing hardrock and heavymetal
http://heavymetalhardrock.no-ip.info/

Open Source Software to manage SELinux at ease
http://sourceforge.net/projects/segatex/

Help SELinux administration
https://github.com/intrajp/segatex-ng

network-magic ( Useful tool for network-administrators )
https://github.com/intrajp/network-magic

CMS（with PHP & PostgreSQL）
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp

[-- Attachment #2: SELinu_relabel_fails_after_deleting_unconfiled_module_2.png --]
[-- Type: image/png, Size: 19292 bytes --]

Re: autorelabel loops in system executed 'semodule -d unconfined'

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2143 bytes --]

On Tue, Sep 25, 2018 at 07:19:23AM +0900, Shintaro Fujiwara wrote:
> Hi, SELinux.
> 
> I captured a picture saying this.
> 
> rm: cannot remove '/.autorelabel' : Permission denied
> 
> /.autorelabel could not be removed, so going into the loop, I guess.
> 
> How can I autorelabel properly even if I delete unconfined module?

This may or may not be a policy issue (see avc denials), but:

Generally you want to do a full relabel in permissive mode.

> 
> Thanks.
> 2018年9月25日(火) 6:55 Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> >
> > Hello, SELinux.
> >
> > I was playing with my F28 latest with 'semodle -d unconfined'.
> > I executed this and relabeling starts even after finished relebeling
> > and looks like going into the loop.
> > # touch /.autorelabel
> > # shtudown -r now
> >
> > I have attached a picure.
> >
> > Thanks.
> 
> 
> 
> -- 
> Help analyzing sar file
> https://github.com/intrajp/sar-analyzer
> 
> LFS Scripts will make Linux From Scratch easy
> https://github.com/intrajp/LFS-scripts-systemd
> 
> SHIRASAGI-hardening Project
> https://github.com/intrajp/shirasagi-hardening
> 
> Linux Distribution Project
> http://sourceforge.net/projects/pinkrabbitlinux/
> 
> Introducing hardrock and heavymetal
> http://heavymetalhardrock.no-ip.info/
> 
> Open Source Software to manage SELinux at ease
> http://sourceforge.net/projects/segatex/
> 
> Help SELinux administration
> https://github.com/intrajp/segatex-ng
> 
> network-magic ( Useful tool for network-administrators )
> https://github.com/intrajp/network-magic
> 
> CMS（with PHP & PostgreSQL）
> http://sourceforge.net/projects/webon/
> https://github.com/intrajp/irforum_jp


> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: autorelabel loops in system executed 'semodule -d unconfined'

[Shintaro Fujiwara]

Hello, Dominick.

I could relabel the system in permissive mode.

Thank you.

2018年9月25日(火) 22:46 Dominick Grift <dac.override@gmail.com>:
>
> On Tue, Sep 25, 2018 at 07:19:23AM +0900, Shintaro Fujiwara wrote:
> > Hi, SELinux.
> >
> > I captured a picture saying this.
> >
> > rm: cannot remove '/.autorelabel' : Permission denied
> >
> > /.autorelabel could not be removed, so going into the loop, I guess.
> >
> > How can I autorelabel properly even if I delete unconfined module?
>
> This may or may not be a policy issue (see avc denials), but:
>
> Generally you want to do a full relabel in permissive mode.
>
> >
> > Thanks.
> > 2018年9月25日(火) 6:55 Shintaro Fujiwara <shintaro.fujiwara@gmail.com>:
> > >
> > > Hello, SELinux.
> > >
> > > I was playing with my F28 latest with 'semodle -d unconfined'.
> > > I executed this and relabeling starts even after finished relebeling
> > > and looks like going into the loop.
> > > # touch /.autorelabel
> > > # shtudown -r now
> > >
> > > I have attached a picure.
> > >
> > > Thanks.
> >
> >
> >
> > --
> > Help analyzing sar file
> > https://github.com/intrajp/sar-analyzer
> >
> > LFS Scripts will make Linux From Scratch easy
> > https://github.com/intrajp/LFS-scripts-systemd
> >
> > SHIRASAGI-hardening Project
> > https://github.com/intrajp/shirasagi-hardening
> >
> > Linux Distribution Project
> > http://sourceforge.net/projects/pinkrabbitlinux/
> >
> > Introducing hardrock and heavymetal
> > http://heavymetalhardrock.no-ip.info/
> >
> > Open Source Software to manage SELinux at ease
> > http://sourceforge.net/projects/segatex/
> >
> > Help SELinux administration
> > https://github.com/intrajp/segatex-ng
> >
> > network-magic ( Useful tool for network-administrators )
> > https://github.com/intrajp/network-magic
> >
> > CMS（with PHP & PostgreSQL）
> > http://sourceforge.net/projects/webon/
> > https://github.com/intrajp/irforum_jp
>
>
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift