In RHEL, after we do an rd.break, and all the procedure, and do a touch /.autorelabel, what does the /.autorelabel do?
Asked
Active
Viewed 2.6k times
8
Jeff Schaller
- 67,283
- 35
- 116
- 255
empty
- 101
-
4have you done any research to try to answer your question? – jsotola Apr 01 '19 at 03:21
1 Answers
17
The rd.break parameter interrupts the boot process before the control is passed over to the kernel. At this point, when you run the passwd command to do the password reset, the associated shadow file (/etc/shadow) is modified with an incorrect SELinux context.
The touch /.autorelabel command creates a hidden file named .autorelabel under the root directory. On the next boot, the SELinux subsystem will detect this file, and then relabel all of the files on that system with the correct SELinux contexts. On large disks, this process can take a good amount of time.
An alternative to the complete relabeling approach is also mentioned in the documentation. First, use the parameters rd.break enforcing=0 when editing the GRUB entry. This will result in the system eventually booting with SELinux set to permissive mode (warn, but do not block). Then, proceed to change the password in the same manner as before. Continue the boot process and allow the system to come up. Once it comes up, run restorecon /etc/shadow to restore the correct SELinux context to the /etc/shadow file. Then, run setenforce 1 to re-enable SELinux and start using the system.
Haxiel
- 8,361
-
1
rd.breakis a Dracut kernel command line option - drop to shell at the end.rdrefers to "ramdisk" – fpmurphy Jan 22 '21 at 17:27 -
-