On atomic desktops, fixfiles -F onboot doesn’t work: it attempts to create /.autorelabel, but this fails since / is read-only. What’s the right way to do an SELinux relabel of the filesystem on atomic desktops?
As far as I know, using fixfiles and restorecon on a large scale is not recommended on Atomic Desktops systems. See Running restorecon.
Instead, what you should to do is selectively restore the labels for a subset of directories and files with:
$ restorecon -RFv /path/to/directory /path/to/directory/file
3 Likes
You can hit the “e” key at the grub menu and append the word “autorelabel” to the command line, that is, the line with “quite” and “rhgb”. And with “ctrl-x” to continue boot.
Edit:
Just tested on kinoite and it didn’t work, but it worked on regular system.
maybe my info’s are outdated, but wasn’t it “autorelabel=1” ?
That is possible. The code for this is found in /usr/lib/systemd/system-generators/selinux-autorelabel-generator.sh
if selinuxenabled; then
if test -f /.autorelabel; then
set_target
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
set_target
fi
fi
it seems both bootparmeter (autorelabel and autorelabel=1) are working
in both cases “set_target” is set/executed
something learned !!!
Tried again in kinoite, and I found that I needed to set selinux to permissive in /etc/selinux/config before the autorelabel worked.