[DSE-Dev] Bug#922448: policycoreutils: /etc/init.d/selinux-autorelabel should run "sulogin $CONSOLE" if / is read-only

Russell Coker russell at coker.com.au
Sat Feb 16 08:35:25 GMT 2019

Package: policycoreutils
Version: 2.8-1
Severity: normal
Tags: upstream

If /.autorelabel exists and the system can't mount the root filesystem rw then
it will enter a boot loop and never recover.  The only recovery from such a
situation is to boot with selinux=0 on the kernel command line, fix the problem
that made it mount root ro, and then boot normally.

Also there should probably be a noautorelabel kernel command-line option.

-- System Information:
Debian Release: buster/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages policycoreutils depends on:
ii  libaudit1      1:2.8.4-2
ii  libc6          2.28-6
ii  libselinux1    2.8-1+b1
ii  libsemanage1   2.8-2
ii  libsepol1      2.8-1
ii  lsb-base       10.2018112800
ii  selinux-utils  2.8-1+b1

policycoreutils recommends no packages.

policycoreutils suggests no packages.

-- no debconf information

More information about the SELinux-devel mailing list