centos7

I have problem restoring SELinux on a server and would like some insight.

On our server, I recently changed SELinux from enforcing to permissive, and because it did not solve our problem which was an odd one (unexpected permissions denied), I even set it to disabled... Anyway, SELinux wasn't the problem. We figured it out and it is now solved ... but SELinux is now disabled!

Now I want to restore it. So I was simply changing it to enforcing again and I was expecting the system to detect automatically it needs to relabel (so no needs to touch /.autorelabel) on next boot, that-worked-in-the-past(tm). Sadly it got stuck during boot and after 10 minutes we went back to disabled to restore services. The documentation states it can take a long long time, so I've scheduled the reboot over the weekend. Well after the weekend it was still stuck in boot.

Strangely the server's HDDs do not show any disk activity.

When I do the above on a VM, it boots to the same point and then prints a message that SELinux relabeling needs to be performed and does it. On the server we do not see that message.

The server has some CIFS mounts, would that be the reason that SELinux tries to relabel the CIFS filesystems? That could explain the longer time and the no disk activities, but that do not explain the absence of messages on the console.

Note: There is a RHEL knowledge base article which recommends going from disabled to enforcing via permissive first. And with each reboot, forcing the relabeling by touching /.autorelabel. That's going to be my next try on the weekend. But any insight to what's going on is welcome.

I have now done further testing. All of the following boot mode failed:

Only booting with selinux=0 is working. When I mean failed, it means there is no error messages on the console while booting nor a message about SELinux relabeling, the system hangs for many hours, no disk activity is visible.

I have now commented out all cifs volumes from my /etc/fstab and rebooted in permissive with autorelabeling. The boot took about 20min but I could see it was doing something (it printed on the console that relabeling was started, showed that FS like sysfs are read-only and be ignored, disk activity was visible, etc.). So SELinux is now enabled in permissive mode. I will now try enforcing mode this weekend.

Obviously it seems that those CIFS mounts were the problem, but I do not understand why. To me it was my understanding that CIFS mounts would be ignored by relabeling, just like sysfs. Have I misunderstood something here?