On Apr 30, 2014, at 2:01 AM, Russell Coker <russell@xxxxxxxxxxxx> wrote: > On Sat, 12 Apr 2014 10:15:25 Chris Murphy wrote: >>> I'm already aware that SELinux's automatic labelling of files is not >>> aware of subvolumes[*].> >>> [*] https://wiki.debian.org/SELinux/Setup#btrfs >> >> I'm not sure exactly what it means since there is always a subvolume (ID 5), >> and I don't understand why autorelabel behavior would differ from manually >> running fixfiles or restorecon. > > When you initially setup SE Linux on Debian you run the command "selinux- > activate" which configures GRUB and creates a 0 byte file named /.autorelabel . > > On boot if /.autorelabel is detected (as it will on a first install of SE Linux > or any time you have a serious labelling problem you want to fix) then a script > will run that labels all files and reboots the system (to make daemons run with > the correct context). The script in question is not aware of subvolumes, so > if you have writable subvolumes they won't be labelled. That has not been my experience. I changed /boot files to have the wrong selinux labels, set .autorelabel, rebooted, and those files were fixed despite /boot being a mount point for a btrfs subvolume named boot located at the top level of the file system, and mounted with an fstab using subvol=boot option. I can see how unmounted subvolumes won't be visible to any scripts or even restorecon, so maybe that's what's being referred to? Chris Murphy -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
