the description of the --selinux-relabel option suggests that it perform an immediate relabel, when in fact it may (and probably will) instead simply touch /.autorelabel on the image, which schedules a relabel operation for the next time the image boots. This can be surprising because it results both in an extended initial boot time *and* results in an automatic reboot (on some distributions). --- generator/customize.ml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/generator/customize.ml b/generator/customize.ml index 36d185c..b146325 100644 --- a/generator/customize.ml +++ b/generator/customize.ml @@ -522,6 +522,9 @@ C</etc/pam.d/common-password> (Debian, Ubuntu)."; flag_shortdesc = "Relabel files with correct SELinux labels"; flag_pod_longdesc = "\ Relabel files in the guest so that they have the correct SELinux label. +This will attempt to relabel files immediately, but if the operation fails +this will instead touch C</.autorelabel> on the image to schedule a +relabel operation for the next time the image boots. You should only use this option for guests which support SELinux."; };