rear icon indicating copy to clipboard operation
rear copied to clipboard
verified publisher icon rear

WIP: Refactor SELinux support and enable SElinux in permissive mode in the rescue system

Open pcahyna opened this issue 1 month ago • 6 comments

Pull Request Details:

  • Type: Bug Fix / Cleanup

  • Impact: High

  • Reference to related issue (URL):

  • How was this pull request tested?

  • Description of the changes in this pull request: Refactor SELinux support to make various aspects independent and replace file-based communication between scripts by use of global variables. Also fix a bug where SELinux was enabled in enforcing mode in the rescue system, which did not work. SELinux in the rescue system is now always enabled in permissive mode (enforcing=0) when SELinux is in use on the original system.

SELinux support has multiple aspects:

  1. detecting whether SELinux is in use
  2. enabling SELinux in the rescue system
  3. adding SELinux utilities to the rescue system
  4. switching off SELinux during backup (BACKUP_SELINUX_DISABLE)
  5. detecting whether the backup program (tar, rsync) supports saving and restoring SELinux file labels
  6. forcing autorelabel after recovery

All SELinux support used to be controlled by item 4. - BACKUP_SELINUX_DISABLE - make it independent. The decision whether to disable SELinux during backup is really not related to any other aspects of SELinux handling, and I believe it is misguided and would like to remove it anyway in a follow-up. 2. (enabling SELinux in the rescue system) and 3. (adding SELinux utilities to the rescue system) now depends purely on 1. Item 5. (SELinux save/restore by the backup program) is independent, as the tools are able to backup and restore SELinux labels just fine even if SELinux is not enabled (I tested this).

The decision of 6. (forcing autorelabel after recovery) now depends on the outcome of 5. (whether labels are backed up and restored). To preserve compatibility for now, autorelabel is still enforced by a separate script when BACKUP_SELINUX_DISABLE is set (the default) - see issue #1957. I plan to change this aspect in the future.

Introduce a new variable BACKUP_PROG_SELINUX that allows the user to indicate whether the NETFS backup program (if neither tar nor rsync) supports SELinux label backup and restore, as for custom backup programs we have no way to detect this.

For this PR, I am experimenting with code generation by Claude Code, which also wrote most of the commit messages (therefore they are quite verbose and don't follow my usual style). The refactoring plan was created by me and I supervised the tool and reviewed the results in detail.

pcahyna avatar Nov 12 '25 09:11 pcahyna