Is the .autorelabel file required in CentOS 7?

[phil.e]

I noticed every one of my systems has a /.autorelabel file on it.
Selinux is disabled on all of them, so I don't see a need for the file system to spend time relabeling everything on every reboot.
Can that file be removed without any negative effects?

EDIT - I tried removing the file on one system and rebooting to see if it caused any adverse effects. Looks like the file was recreated all over again.
The reason I was asking was that this security checklist we're supposed to follow wanted us to change the mod from the default of 644 to 740, which didn't seem to make sense.

[jlehtone]

Selinux is disabled
... security checklist we're supposed to follow ...

Somehow "conserned about security, but happy without SELinux" sounds a bit contradictory.

The file is empty. On bootup some early service checks for it's presence and if the file is there, then runs relabel (if SELinux is enabled).
The creation of that file might be by an another oneshot service that runs when you boot SELinux disabled (with assumption that next boot has SELinux on again).

There is nothing to read in empty file and "others" can see its existence due to permissions of the '/', so 644 and 740 seem equally ok.
That brings us back to that checklist; every item should have a rationale that is documented somewhere.

[TrevorH]

It's these two that look:

Code: Select all

[root@centos7 ~]# sc cat rhel-autorelabel-mark
# /usr/lib/systemd/system/rhel-autorelabel-mark.service
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel

[Service]
ExecStart=-/usr/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target
[root@centos7 ~]# sc cat rhel-autorelabel.service
# /usr/lib/systemd/system/rhel-autorelabel.service
[Unit]
Description=Relabel all filesystems, if necessary
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=selinux
ConditionKernelCommandLine=|autorelabel
ConditionPathExists=|/.autorelabel

[Service]
ExecStart=/usr/lib/systemd/rhel-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardOutput=journal+console

[Install]
WantedBy=sysinit.target
[root@centos7 ~]# 

[jlehtone]

One could thus override the rhel-autorelabel-mark.service to also chmod the created file in order to tick a box in "security".