Re: How do you relabel all SELinux file contexts of an offline system's file system?

[Bond Masuda <bond.masuda@jlbond.com>]

On 08/04/2015 11:54 PM, Jason Zaman wrote:
> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>> Hello,
>>
>> Normally, if I need to ensure that all the SELinux file contexts are
>> correct, I run:
>>
>> restorecon -R -v /
>>
>> However, in the current situation, I need to do that on a system that is
>> offline, where I have it's root and entire file system mounted under
>> /mnt. I tried:
>>
>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>
>> hoping it would have the same effect, but it does not appear to. When I
>> boot the offline system, it shows a lot of SELinux mislabelings.
>>
>> Is there a way to fix SELinux file contexts of another system while it
>> is offline?
>>
>> Thanks for any help...
>> -Bond
> Look at setfiles, you want something like this:
>
> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/
>
> from setfiles(8):
>        -r rootpath
>               use an alternate root path.
>
> -- Jason

Thanks to your hint and the other replies, I was able to use setfiles to
solve most of the labeling issues. However, there are a few remaining
problems.

I also learned that setfiles doesn't seem to traverse distinct
filesystems, so I had to iterate through the list of filesystems mounted
under /mnt and iterate through each fcontext file. What remains after
all this are the following that remain mislabeled:

[root@localhost /]# restorecon -v -n -r /
restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0

I looked through the fcontexts files, and sure enough, they are mislabeled:

[root@localhost files]# pwd
/etc/selinux/targeted/contexts/files
[root@localhost files]# grep -E
"tzdata-update|/sbin/shutdown|/sbin/consoletype" *
file_contexts:/sbin/shutdown    --    system_u:object_r:shutdown_exec_t:s0
file_contexts:/sbin/consoletype    --   
system_u:object_r:consoletype_exec_t:s0
file_contexts:/usr/sbin/shutdown    --   
system_u:object_r:shutdown_exec_t:s0
file_contexts:/usr/sbin/tzdata-update    --   
system_u:object_r:tzdata_exec_t:s0

The way I'm running setfiles is basically like this:

chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e
/selinux /etc/selinux/targeted/contexts/files/file_contexts /

But iterating through each filesystem under "/" (in the chroot /mnt/test).

Can anyone help me explain why the 5 file paths above remain mislabeled
after running setfiles?

Thanks,
-Bond