Understanding the SELinux .autorelabel File: Purpose and Implementation in CentOS 6


2 views

The .autorelabel file serves as a flag for SELinux (Security-Enhanced Linux) to trigger a full filesystem relabel during the next system boot. This is particularly relevant in CentOS 6 and other RHEL-based distributions where SELinux is enabled by default.

Common scenarios for .autorelabel creation include:

# After disabling SELinux enforcement temporarily
touch /.autorelabel

# During package installations that modify critical system files
yum install policycoreutils-restorecond

The boot process checks for this file through /etc/rc.sysinit (in CentOS 6) which contains:

if [ -f /.autorelabel ]; then
    /sbin/fixfiles -F -f relabel
    rm -f /.autorelabel
fi

Manual creation for filesystem repair:

# Create the trigger file
sudo touch /.autorelabel

# Verify creation
ls -laZ /.autorelabel
# -rw-r--r--. root root system_u:object_r:etc_t:s0 /.autorelabel

1. Boot time impact: Relabeling large filesystems can significantly increase boot time
2. Alternative for specific paths: restorecon -Rv /path instead of full relabel
3. For debugging: Check /var/log/messages for relabeling progress

After creating .autorelabel, monitor the process with:

# Check SELinux status
sestatus

# View boot logs
dmesg | grep -i selinux

In SELinux-enabled systems like CentOS 6, every file and process has a security context label that defines its access permissions. These labels follow the format:

user:role:type:level

The presence of /.autorelabel file signals the system to perform a full filesystem relabel during the next reboot. This typically occurs in several scenarios:

  • After SELinux policy changes that require new labeling rules
  • When moving files between different SELinux systems
  • Following system upgrades that modify default contexts

During boot, the init system checks for /.autorelabel and executes:

/sbin/fixfiles -F restore
/sbin/restorecon -R /

The system will automatically remove the file after successful completion. If you need to trigger this manually:

touch /.autorelabel
reboot

If the relabel process gets stuck, check these common culprits:

# Check SELinux status
sestatus

# View audit logs
ausearch -m AVC,USER_AVC -ts recent

# Verify filesystem contexts
matchpathcon -V /path/to/check

When working with /.autorelabel:

  • Always maintain backups before triggering a full relabel
  • Monitor disk space as the process creates temporary files
  • For large filesystems, consider using parallel labeling: fixfiles -F -o -D restore