Comment # 10 on bug 1229732 from Fabian Vogt 
(In reply to Thorsten Kukuk from comment #3)
> There is one scenario, where only parts of the system get relabeled: 
> systemctl soft-reboot at least on MicroOS, haven't tested Tumbleweed yet.
> 
> Problem on MicroOS:
> - initrd does not get executed, so no relabel of root filesystem
> - subvolumes get relabeled and remove the relabel trigger
> 
> zypp-boot-plugin will report a required hard reboot if selinux-policy gets
> updated in the future, but that's not very robust, admins can still call
> "systemctl soft-reboot" themself.

Which is IMO a bigger problem. If "systemctl soft-reboot" unconditionally
soft-reboots into the next/default snapshot, it will break in even more cases
like kernel updates (modules no longer match) or any of the packages in the
exclusion list. We need a general solution here, not just for SELinux
autorelabelling.

You are receiving this mail because: