How do you relabel all SELinux file contexts of an offline system's file system?

How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda]

Hello,

Normally, if I need to ensure that all the SELinux file contexts are
correct, I run:

restorecon -R -v /

However, in the current situation, I need to do that on a system that is
offline, where I have it's root and entire file system mounted under
/mnt. I tried:

chroot /mnt /usr/sbin/restorecon -R -v /mnt

hoping it would have the same effect, but it does not appear to. When I
boot the offline system, it shows a lot of SELinux mislabelings.

Is there a way to fix SELinux file contexts of another system while it
is offline?

Thanks for any help...
-Bond

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Jason Zaman]

On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
> Hello,
> 
> Normally, if I need to ensure that all the SELinux file contexts are
> correct, I run:
> 
> restorecon -R -v /
> 
> However, in the current situation, I need to do that on a system that is
> offline, where I have it's root and entire file system mounted under
> /mnt. I tried:
> 
> chroot /mnt /usr/sbin/restorecon -R -v /mnt
> 
> hoping it would have the same effect, but it does not appear to. When I
> boot the offline system, it shows a lot of SELinux mislabelings.
> 
> Is there a way to fix SELinux file contexts of another system while it
> is offline?
> 
> Thanks for any help...
> -Bond

Look at setfiles, you want something like this:

setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/

from setfiles(8):
       -r rootpath
              use an alternate root path.

-- Jason

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Stephen Smalley]

On 08/05/2015 02:54 AM, Jason Zaman wrote:
> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>> Hello,
>>
>> Normally, if I need to ensure that all the SELinux file contexts are
>> correct, I run:
>>
>> restorecon -R -v /
>>
>> However, in the current situation, I need to do that on a system that is
>> offline, where I have it's root and entire file system mounted under
>> /mnt. I tried:
>>
>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>
>> hoping it would have the same effect, but it does not appear to. When I
>> boot the offline system, it shows a lot of SELinux mislabelings.
>>
>> Is there a way to fix SELinux file contexts of another system while it
>> is offline?
>>
>> Thanks for any help...
>> -Bond
> 
> Look at setfiles, you want something like this:
> 
> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/
> 
> from setfiles(8):
>        -r rootpath
>               use an alternate root path.

A couple of caveats:

- If using the -r option of setfiles rather than chroot'ing to the root
of the offline system, you want to specify the file_contexts file from
the policy of the offline system, not the file_contexts of the host on
which you are running, e.g setfiles -r
/mnt/etc/selinux/targeted/contexts/files/file_contexts /mnt.

- Not all of the contexts defined by the offline system's file_contexts
may be valid under the policy of the host on which you are running (e.g.
if they run different distributions or even different releases of the
same distribution), which will normally prevent setting those contexts
(the kernel won't recognize them).  If you have this issue, you'll need
to run setfiles as root in a special domain, setfiles_mac_t, that is
allowed to set contexts unknown to the host policy, and likely chrooted
so that it doesn't ask the kernel whether the contexts are valid via
/sys/fs/selinux/context.  That is how livecd-creator supported creating
images for other releases.

It would help to know what kinds of "mislabelings" you are encountering
on the offline system when it is booted, e.g. what files were
mislabeled, what contexts were they supposed to have and what contexts
did they have, and were these cases where the host file_contexts
differed from the offline system file_contexts.

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda]

On 08/04/2015 11:54 PM, Jason Zaman wrote:
> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>> Hello,
>>
>> Normally, if I need to ensure that all the SELinux file contexts are
>> correct, I run:
>>
>> restorecon -R -v /
>>
>> However, in the current situation, I need to do that on a system that is
>> offline, where I have it's root and entire file system mounted under
>> /mnt. I tried:
>>
>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>
>> hoping it would have the same effect, but it does not appear to. When I
>> boot the offline system, it shows a lot of SELinux mislabelings.
>>
>> Is there a way to fix SELinux file contexts of another system while it
>> is offline?
>>
>> Thanks for any help...
>> -Bond
> Look at setfiles, you want something like this:
>
> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/
>
> from setfiles(8):
>        -r rootpath
>               use an alternate root path.
>
> -- Jason

Thanks to your hint and the other replies, I was able to use setfiles to
solve most of the labeling issues. However, there are a few remaining
problems.

I also learned that setfiles doesn't seem to traverse distinct
filesystems, so I had to iterate through the list of filesystems mounted
under /mnt and iterate through each fcontext file. What remains after
all this are the following that remain mislabeled:

[root@localhost /]# restorecon -v -n -r /
restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0

I looked through the fcontexts files, and sure enough, they are mislabeled:

[root@localhost files]# pwd
/etc/selinux/targeted/contexts/files
[root@localhost files]# grep -E
"tzdata-update|/sbin/shutdown|/sbin/consoletype" *
file_contexts:/sbin/shutdown    --    system_u:object_r:shutdown_exec_t:s0
file_contexts:/sbin/consoletype    --   
system_u:object_r:consoletype_exec_t:s0
file_contexts:/usr/sbin/shutdown    --   
system_u:object_r:shutdown_exec_t:s0
file_contexts:/usr/sbin/tzdata-update    --   
system_u:object_r:tzdata_exec_t:s0

The way I'm running setfiles is basically like this:

chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e
/selinux /etc/selinux/targeted/contexts/files/file_contexts /

But iterating through each filesystem under "/" (in the chroot /mnt/test).

Can anyone help me explain why the 5 file paths above remain mislabeled
after running setfiles?

Thanks,
-Bond

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda]

So, further troubleshooting this myself, I found these errors from
'setfiles':

/sbin/setfiles reset /usr/sbin/tzdata-update context
system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
/sbin/setfiles set context
/usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0
failed:'Invalid argument'
/sbin/setfiles reset /sbin/pam_timestamp_check context
system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0
/sbin/setfiles reset /sbin/shutdown context
system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
/sbin/setfiles set context
/sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid
argument'
/sbin/setfiles reset /sbin/consoletype context
system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
/sbin/setfiles set context
/sbin/consoletype->system_u:object_r:consoletype_exec_t:s0
failed:'Invalid argument'

I'm guessing this is because the "host" system doesn't have these types
in it's own policy? The "host" is a Fedora 21 system, while the system
mounted in /mnt/test is a CentOS6 system.

Grepping the "types" above that give "invalid argument" on the host's
file_context* files indeed comes up empty.

So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to
run setfiles so it doesn't require the type to be one that is loaded in
the host's SELinux policy?

How do I use runcon? I tried:

# chroot /mnt/test /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles
-v -n -F -e /proc -e /sys -e /dev -e /selinux
/etc/selinux/targeted/contexts/files/file_contexts /
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel

Or, trying the -r option in setfiles:

# /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc
-e /sys -e /dev -e /selinux -r /mnt/test
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts /mnt/test

/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 762
has invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 763
has invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 827
has invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 855
has invalid context system_u:object_r:hotplug_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 856
has invalid context system_u:object_r:hotplug_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 880
has invalid context system_u:object_r:hald_var_lib_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 883
has invalid context system_u:object_r:l2tp_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 915
has invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 1009
has invalid context system_u:object_r:hald_var_run_t:s0
Exiting after 10 errors.

Not sure I understand these errors?

Please help?
-Bond

On 08/11/2015 06:02 PM, Bond Masuda wrote:
>
> On 08/04/2015 11:54 PM, Jason Zaman wrote:
>> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>>> Hello,
>>>
>>> Normally, if I need to ensure that all the SELinux file contexts are
>>> correct, I run:
>>>
>>> restorecon -R -v /
>>>
>>> However, in the current situation, I need to do that on a system that is
>>> offline, where I have it's root and entire file system mounted under
>>> /mnt. I tried:
>>>
>>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>>
>>> hoping it would have the same effect, but it does not appear to. When I
>>> boot the offline system, it shows a lot of SELinux mislabelings.
>>>
>>> Is there a way to fix SELinux file contexts of another system while it
>>> is offline?
>>>
>>> Thanks for any help...
>>> -Bond
>> Look at setfiles, you want something like this:
>>
>> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/
>>
>> from setfiles(8):
>>        -r rootpath
>>               use an alternate root path.
>>
>> -- Jason
> Thanks to your hint and the other replies, I was able to use setfiles to
> solve most of the labeling issues. However, there are a few remaining
> problems.
>
> I also learned that setfiles doesn't seem to traverse distinct
> filesystems, so I had to iterate through the list of filesystems mounted
> under /mnt and iterate through each fcontext file. What remains after
> all this are the following that remain mislabeled:
>
> [root@localhost /]# restorecon -v -n -r /
> restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
> restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
> restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
> restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
>
> I looked through the fcontexts files, and sure enough, they are mislabeled:
>
> [root@localhost files]# pwd
> /etc/selinux/targeted/contexts/files
> [root@localhost files]# grep -E
> "tzdata-update|/sbin/shutdown|/sbin/consoletype" *
> file_contexts:/sbin/shutdown    --    system_u:object_r:shutdown_exec_t:s0
> file_contexts:/sbin/consoletype    --   
> system_u:object_r:consoletype_exec_t:s0
> file_contexts:/usr/sbin/shutdown    --   
> system_u:object_r:shutdown_exec_t:s0
> file_contexts:/usr/sbin/tzdata-update    --   
> system_u:object_r:tzdata_exec_t:s0
>
> The way I'm running setfiles is basically like this:
>
> chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e
> /selinux /etc/selinux/targeted/contexts/files/file_contexts /
>
> But iterating through each filesystem under "/" (in the chroot /mnt/test).
>
> Can anyone help me explain why the 5 file paths above remain mislabeled
> after running setfiles?
>
> Thanks,
> -Bond
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

答复: How do you relabel all SELinux file contexts of an offline system's file system?

[rowan]

Bond,
	In my option, files contexts must corwork with the selinux policy
running on the host. So, we must figure out the purpose of  "relabel file
contexts of an offline system's".
		Fir: The offline system mounted on a host and worked as file
system let the host to read/write.
		Sec: The offline system will be booting up as a OS, we just
use the host to calculate the contexts. E.g. embedded.
	For fir:
		Just do as Stephen said, rather than 'chroot'.
		>> setfiles -vr /mnt/
/etc/selinux/strict/contexts/files/file_contexts /mnt/
		>>
		>> from setfiles(8):
		>>        -r rootpath
		>>               use an alternate root path.
		arg
			the last '/mnt/' is where setfiles start to work on
			'-r /mnt/' alternate means, when match files in
sepcfile[file_contexts],no need to match the '/mnt/' part, skip it.
	For sec:
		I'm not very sure how to do it. May be need three steps
		1,chroot
		2,reload selinux policy, policy on the offline system.
		3,do setfiles.
		
		May be you can just booting from the offline system on the
host, and do a autorelabel.
		
Thanks
rowan	

-----邮件原件-----
发件人: Selinux [mailto:selinux-bounces@tycho.nsa.gov] 代表 Bond Masuda
发送时间: 2015年8月12日 11:37
收件人: selinux@tycho.nsa.gov
主题: Re: How do you relabel all SELinux file contexts of an offline
system's file system?

So, further troubleshooting this myself, I found these errors from
'setfiles':

/sbin/setfiles reset /usr/sbin/tzdata-update context
system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
/sbin/setfiles set context
/usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0
failed:'Invalid argument'
/sbin/setfiles reset /sbin/pam_timestamp_check context
system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0
/sbin/setfiles reset /sbin/shutdown context
system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
/sbin/setfiles set context
/sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid
argument'
/sbin/setfiles reset /sbin/consoletype context
system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
/sbin/setfiles set context
/sbin/consoletype->system_u:object_r:consoletype_exec_t:s0
failed:'Invalid argument'

I'm guessing this is because the "host" system doesn't have these types in
it's own policy? The "host" is a Fedora 21 system, while the system mounted
in /mnt/test is a CentOS6 system.

Grepping the "types" above that give "invalid argument" on the host's
file_context* files indeed comes up empty.

So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to run
setfiles so it doesn't require the type to be one that is loaded in the
host's SELinux policy?

How do I use runcon? I tried:

# chroot /mnt/test /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n
-F -e /proc -e /sys -e /dev -e /selinux
/etc/selinux/targeted/contexts/files/file_contexts /
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel

Or, trying the -r option in setfiles:

# /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc -e
/sys -e /dev -e /selinux -r /mnt/test
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts /mnt/test

/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 762 has
invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 763 has
invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 827 has
invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 855 has
invalid context system_u:object_r:hotplug_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 856 has
invalid context system_u:object_r:hotplug_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 880 has
invalid context system_u:object_r:hald_var_lib_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 883 has
invalid context system_u:object_r:l2tp_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 915 has
invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 1009 has
invalid context system_u:object_r:hald_var_run_t:s0
Exiting after 10 errors.

Not sure I understand these errors?

Please help?
-Bond

On 08/11/2015 06:02 PM, Bond Masuda wrote:
>
> On 08/04/2015 11:54 PM, Jason Zaman wrote:
>> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>>> Hello,
>>>
>>> Normally, if I need to ensure that all the SELinux file contexts are 
>>> correct, I run:
>>>
>>> restorecon -R -v /
>>>
>>> However, in the current situation, I need to do that on a system 
>>> that is offline, where I have it's root and entire file system 
>>> mounted under /mnt. I tried:
>>>
>>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>>
>>> hoping it would have the same effect, but it does not appear to. 
>>> When I boot the offline system, it shows a lot of SELinux mislabelings.
>>>
>>> Is there a way to fix SELinux file contexts of another system while 
>>> it is offline?
>>>
>>> Thanks for any help...
>>> -Bond
>> Look at setfiles, you want something like this:
>>
>> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts 
>> /mnt/
>>
>> from setfiles(8):
>>        -r rootpath
>>               use an alternate root path.
>>
>> -- Jason
> Thanks to your hint and the other replies, I was able to use setfiles 
> to solve most of the labeling issues. However, there are a few 
> remaining problems.
>
> I also learned that setfiles doesn't seem to traverse distinct 
> filesystems, so I had to iterate through the list of filesystems 
> mounted under /mnt and iterate through each fcontext file. What 
> remains after all this are the following that remain mislabeled:
>
> [root@localhost /]# restorecon -v -n -r / restorecon reset / context 
> system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
> restorecon reset /usr/sbin/tzdata-update context 
> system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
> restorecon reset /sbin/shutdown context 
> system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
> restorecon reset /sbin/consoletype context 
> system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
> restorecon reset /.autofsck context 
> system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
>
> I looked through the fcontexts files, and sure enough, they are
mislabeled:
>
> [root@localhost files]# pwd
> /etc/selinux/targeted/contexts/files
> [root@localhost files]# grep -E
> "tzdata-update|/sbin/shutdown|/sbin/consoletype" *
> file_contexts:/sbin/shutdown    --    system_u:object_r:shutdown_exec_t:s0
> file_contexts:/sbin/consoletype    --   
> system_u:object_r:consoletype_exec_t:s0
> file_contexts:/usr/sbin/shutdown    --   
> system_u:object_r:shutdown_exec_t:s0
> file_contexts:/usr/sbin/tzdata-update    --   
> system_u:object_r:tzdata_exec_t:s0
>
> The way I'm running setfiles is basically like this:
>
> chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e 
> /selinux /etc/selinux/targeted/contexts/files/file_contexts /
>
> But iterating through each filesystem under "/" (in the chroot /mnt/test).
>
> Can anyone help me explain why the 5 file paths above remain 
> mislabeled after running setfiles?
>
> Thanks,
> -Bond
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.
gov.



_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to
Selinux-request@tycho.nsa.gov.

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda]

On 08/11/2015 08:37 PM, Bond Masuda wrote:
> So, further troubleshooting this myself, I found these errors from
> 'setfiles':
>
> /sbin/setfiles reset /usr/sbin/tzdata-update context
> system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
> /sbin/setfiles set context
> /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0
> failed:'Invalid argument'
> /sbin/setfiles reset /sbin/pam_timestamp_check context
> system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0
> /sbin/setfiles reset /sbin/shutdown context
> system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
> /sbin/setfiles set context
> /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid
> argument'
> /sbin/setfiles reset /sbin/consoletype context
> system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
> /sbin/setfiles set context
> /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0
> failed:'Invalid argument'
>
> I'm guessing this is because the "host" system doesn't have these types
> in it's own policy? The "host" is a Fedora 21 system, while the system
> mounted in /mnt/test is a CentOS6 system.
>
> Grepping the "types" above that give "invalid argument" on the host's
> file_context* files indeed comes up empty.
>
> So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to
> run setfiles so it doesn't require the type to be one that is loaded in
> the host's SELinux policy?
>
> How do I use runcon? I tried:
>

Ok, figured this one out mostly, I think. Thanks to manpage
setfiles_selinux, I first had to set setfiles_mac_t to permissive with:

semanage permissive -a setfiles_mac_t

Then, I ran the setfiles commands under runcon as:

runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e
/sys -e /dev -e /selinux
/etc/selinux/targeted/contexts/files/file_contexts /

This fixes the previous "invalid argument" errors from setfiles. With
this process, there are still 2 labels that are wrong:

[root@localhost ~]# restorecon -v -n -r /
restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0

I think the /.autofsck is getting created during boot, and maybe just
inheriting from /. So, the question is why is / (root) still labeled as
mnt_t instead of root_t ? When the system is still mounted under
/mnt/test, /mnt/test (where / of the system is mounted) is correctly
labeled as root_t, but this seems to change once unmounted and i boot
the offline system?

Any insights?
-Bond

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Stephen Smalley]

On 08/12/2015 05:07 AM, Bond Masuda wrote:
> 
> On 08/11/2015 08:37 PM, Bond Masuda wrote:
>> So, further troubleshooting this myself, I found these errors from
>> 'setfiles':
>>
>> /sbin/setfiles reset /usr/sbin/tzdata-update context
>> system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
>> /sbin/setfiles set context
>> /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0
>> failed:'Invalid argument'
>> /sbin/setfiles reset /sbin/pam_timestamp_check context
>> system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0
>> /sbin/setfiles reset /sbin/shutdown context
>> system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
>> /sbin/setfiles set context
>> /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid
>> argument'
>> /sbin/setfiles reset /sbin/consoletype context
>> system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
>> /sbin/setfiles set context
>> /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0
>> failed:'Invalid argument'
>>
>> I'm guessing this is because the "host" system doesn't have these types
>> in it's own policy? The "host" is a Fedora 21 system, while the system
>> mounted in /mnt/test is a CentOS6 system.
>>
>> Grepping the "types" above that give "invalid argument" on the host's
>> file_context* files indeed comes up empty.
>>
>> So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to
>> run setfiles so it doesn't require the type to be one that is loaded in
>> the host's SELinux policy?
>>
>> How do I use runcon? I tried:
>>
> 
> Ok, figured this one out mostly, I think. Thanks to manpage
> setfiles_selinux, I first had to set setfiles_mac_t to permissive with:
> 
> semanage permissive -a setfiles_mac_t

That suggests that setfiles_mac_t policy needs to be augmented with
further allow rules; you can tell which ones based on ausearch -m AVC
-se setfiles_mac_t


> Then, I ran the setfiles commands under runcon as:
> 
> runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e
> /sys -e /dev -e /selinux
> /etc/selinux/targeted/contexts/files/file_contexts /
> 
> This fixes the previous "invalid argument" errors from setfiles.

I think those errors reflect a bug/gap in setfiles.  Usually setfiles
validates and canonicalizes the contexts in file_contexts by writing
them to /sys/fs/selinux/context (a pseudo file) and reading back the
result.  This will fail if selinuxfs is mounted in your chroot and your
host policy doesn't define the context.  If selinuxfs is not mounted in
your chroot, then this will just create a regular file under
/sys/fs/selinux/context containing the context and read it back again,
so it will "pass".  I'm guessing that it was failing in enforcing mode
because it wasn't allowed to create files under /sys/fs/selinux in the
chroot.  I think we need a change to setfiles (e.g. a new option) to
fully disable this validation/canonicalization.

 With
> this process, there are still 2 labels that are wrong:
> 
> [root@localhost ~]# restorecon -v -n -r /
> restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0
> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
> 
> I think the /.autofsck is getting created during boot, and maybe just
> inheriting from /. So, the question is why is / (root) still labeled as
> mnt_t instead of root_t ? When the system is still mounted under
> /mnt/test, /mnt/test (where / of the system is mounted) is correctly
> labeled as root_t, but this seems to change once unmounted and i boot
> the offline system?
> 
> Any insights?

No, that seems very strange.  How did you check the context of /mnt/root
before unmounting it?  Try checking it this way:
runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root

And likewise, once you unmount and reboot the offline system, try it as:
runcon -t setfiles_mac_t -- getfattr -n security.selinux /

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda]

On 08/13/2015 06:23 AM, Stephen Smalley wrote:
>>
>> Ok, figured this one out mostly, I think. Thanks to manpage
>> setfiles_selinux, I first had to set setfiles_mac_t to permissive with:
>>
>> semanage permissive -a setfiles_mac_t
> That suggests that setfiles_mac_t policy needs to be augmented with
> further allow rules; you can tell which ones based on ausearch -m AVC
> -se setfiles_mac_t
>
Ok. so on Fedora 21, (using
selinux-policy-targeted-3.13.1-105.20.fc21.noarch), it looks like I need
this:

# ausearch -m AVC -se setfiles_mac_t | audit2allow


#============= setfiles_mac_t ==============
allow setfiles_mac_t bin_t:file entrypoint;


>> Then, I ran the setfiles commands under runcon as:
>>
>> runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e
>> /sys -e /dev -e /selinux
>> /etc/selinux/targeted/contexts/files/file_contexts /
>>
>> This fixes the previous "invalid argument" errors from setfiles.
> I think those errors reflect a bug/gap in setfiles.  Usually setfiles
> validates and canonicalizes the contexts in file_contexts by writing
> them to /sys/fs/selinux/context (a pseudo file) and reading back the
> result.  This will fail if selinuxfs is mounted in your chroot and your
> host policy doesn't define the context.  If selinuxfs is not mounted in
> your chroot, then this will just create a regular file under
> /sys/fs/selinux/context containing the context and read it back again,
> so it will "pass".  I'm guessing that it was failing in enforcing mode
> because it wasn't allowed to create files under /sys/fs/selinux in the
> chroot.  I think we need a change to setfiles (e.g. a new option) to
> fully disable this validation/canonicalization.

That would seem useful in my use-case.
>
>> this process, there are still 2 labels that are wrong:
>>
>> [root@localhost ~]# restorecon -v -n -r /
>> restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0
>> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
>>
>> I think the /.autofsck is getting created during boot, and maybe just
>> inheriting from /. So, the question is why is / (root) still labeled as
>> mnt_t instead of root_t ? When the system is still mounted under
>> /mnt/test, /mnt/test (where / of the system is mounted) is correctly
>> labeled as root_t, but this seems to change once unmounted and i boot
>> the offline system?
>>
>> Any insights?
> No, that seems very strange.  How did you check the context of /mnt/root
> before unmounting it?  Try checking it this way:
> runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root
>
> And likewise, once you unmount and reboot the offline system, try it as:
> runcon -t setfiles_mac_t -- getfattr -n security.selinux /
>
This turned out to be an error due to an external process. The labeling
of /mnt/root is in fact correct. We are building a system in /mnt/root,
and when we use the recovery boot option from the install DVD, it
appears to relabel / to mnt_t. We did this in order to setup grub in the
bootsector. We noticed this because when we automated the grub-install
w/o using the recovery DVD, / was labeled correctly as expected.

Thanks for your help!
-Bond

Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Daniel J Walsh]

On my Fedora 24 system, I see

sesearch -A -s setfiles_mac_t -p entrypoint -c file -C
Found 1 semantic av rules:
   allow setfiles_mac_t setfiles_exec_t : file { ioctl read getattr lock
execute execute_no_trans entrypoint open } ;

chcon -t setfiles_exec_t to the program would be better.

On 08/17/2015 04:27 PM, Bond Masuda wrote:
>
> On 08/13/2015 06:23 AM, Stephen Smalley wrote:
>>> Ok, figured this one out mostly, I think. Thanks to manpage
>>> setfiles_selinux, I first had to set setfiles_mac_t to permissive with:
>>>
>>> semanage permissive -a setfiles_mac_t
>> That suggests that setfiles_mac_t policy needs to be augmented with
>> further allow rules; you can tell which ones based on ausearch -m AVC
>> -se setfiles_mac_t
>>
> Ok. so on Fedora 21, (using
> selinux-policy-targeted-3.13.1-105.20.fc21.noarch), it looks like I need
> this:
>
> # ausearch -m AVC -se setfiles_mac_t | audit2allow
>
>
> #============= setfiles_mac_t ==============
> allow setfiles_mac_t bin_t:file entrypoint;
>
>
>>> Then, I ran the setfiles commands under runcon as:
>>>
>>> runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e
>>> /sys -e /dev -e /selinux
>>> /etc/selinux/targeted/contexts/files/file_contexts /
>>>
>>> This fixes the previous "invalid argument" errors from setfiles.
>> I think those errors reflect a bug/gap in setfiles.  Usually setfiles
>> validates and canonicalizes the contexts in file_contexts by writing
>> them to /sys/fs/selinux/context (a pseudo file) and reading back the
>> result.  This will fail if selinuxfs is mounted in your chroot and your
>> host policy doesn't define the context.  If selinuxfs is not mounted in
>> your chroot, then this will just create a regular file under
>> /sys/fs/selinux/context containing the context and read it back again,
>> so it will "pass".  I'm guessing that it was failing in enforcing mode
>> because it wasn't allowed to create files under /sys/fs/selinux in the
>> chroot.  I think we need a change to setfiles (e.g. a new option) to
>> fully disable this validation/canonicalization.
> That would seem useful in my use-case.
>>> this process, there are still 2 labels that are wrong:
>>>
>>> [root@localhost ~]# restorecon -v -n -r /
>>> restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0
>>> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
>>>
>>> I think the /.autofsck is getting created during boot, and maybe just
>>> inheriting from /. So, the question is why is / (root) still labeled as
>>> mnt_t instead of root_t ? When the system is still mounted under
>>> /mnt/test, /mnt/test (where / of the system is mounted) is correctly
>>> labeled as root_t, but this seems to change once unmounted and i boot
>>> the offline system?
>>>
>>> Any insights?
>> No, that seems very strange.  How did you check the context of /mnt/root
>> before unmounting it?  Try checking it this way:
>> runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root
>>
>> And likewise, once you unmount and reboot the offline system, try it as:
>> runcon -t setfiles_mac_t -- getfattr -n security.selinux /
>>
> This turned out to be an error due to an external process. The labeling
> of /mnt/root is in fact correct. We are building a system in /mnt/root,
> and when we use the recovery boot option from the install DVD, it
> appears to relabel / to mnt_t. We did this in order to setup grub in the
> bootsector. We noticed this because when we automated the grub-install
> w/o using the recovery DVD, / was labeled correctly as expected.
>
> Thanks for your help!
> -Bond
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>