* How do you relabel all SELinux file contexts of an offline system's file system? @ 2015-08-04 22:33 Bond Masuda 2015-08-05 6:54 ` Jason Zaman 0 siblings, 1 reply; 10+ messages in thread From: Bond Masuda @ 2015-08-04 22:33 UTC (permalink / raw) To: selinux Hello, Normally, if I need to ensure that all the SELinux file contexts are correct, I run: restorecon -R -v / However, in the current situation, I need to do that on a system that is offline, where I have it's root and entire file system mounted under /mnt. I tried: chroot /mnt /usr/sbin/restorecon -R -v /mnt hoping it would have the same effect, but it does not appear to. When I boot the offline system, it shows a lot of SELinux mislabelings. Is there a way to fix SELinux file contexts of another system while it is offline? Thanks for any help... -Bond ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-04 22:33 How do you relabel all SELinux file contexts of an offline system's file system? Bond Masuda @ 2015-08-05 6:54 ` Jason Zaman 2015-08-05 12:37 ` Stephen Smalley 2015-08-12 1:02 ` Bond Masuda 0 siblings, 2 replies; 10+ messages in thread From: Jason Zaman @ 2015-08-05 6:54 UTC (permalink / raw) To: Bond Masuda; +Cc: selinux On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: > Hello, > > Normally, if I need to ensure that all the SELinux file contexts are > correct, I run: > > restorecon -R -v / > > However, in the current situation, I need to do that on a system that is > offline, where I have it's root and entire file system mounted under > /mnt. I tried: > > chroot /mnt /usr/sbin/restorecon -R -v /mnt > > hoping it would have the same effect, but it does not appear to. When I > boot the offline system, it shows a lot of SELinux mislabelings. > > Is there a way to fix SELinux file contexts of another system while it > is offline? > > Thanks for any help... > -Bond Look at setfiles, you want something like this: setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ from setfiles(8): -r rootpath use an alternate root path. -- Jason ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-05 6:54 ` Jason Zaman @ 2015-08-05 12:37 ` Stephen Smalley 2015-08-12 1:02 ` Bond Masuda 1 sibling, 0 replies; 10+ messages in thread From: Stephen Smalley @ 2015-08-05 12:37 UTC (permalink / raw) To: Jason Zaman, Bond Masuda; +Cc: selinux On 08/05/2015 02:54 AM, Jason Zaman wrote: > On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: >> Hello, >> >> Normally, if I need to ensure that all the SELinux file contexts are >> correct, I run: >> >> restorecon -R -v / >> >> However, in the current situation, I need to do that on a system that is >> offline, where I have it's root and entire file system mounted under >> /mnt. I tried: >> >> chroot /mnt /usr/sbin/restorecon -R -v /mnt >> >> hoping it would have the same effect, but it does not appear to. When I >> boot the offline system, it shows a lot of SELinux mislabelings. >> >> Is there a way to fix SELinux file contexts of another system while it >> is offline? >> >> Thanks for any help... >> -Bond > > Look at setfiles, you want something like this: > > setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ > > from setfiles(8): > -r rootpath > use an alternate root path. A couple of caveats: - If using the -r option of setfiles rather than chroot'ing to the root of the offline system, you want to specify the file_contexts file from the policy of the offline system, not the file_contexts of the host on which you are running, e.g setfiles -r /mnt/etc/selinux/targeted/contexts/files/file_contexts /mnt. - Not all of the contexts defined by the offline system's file_contexts may be valid under the policy of the host on which you are running (e.g. if they run different distributions or even different releases of the same distribution), which will normally prevent setting those contexts (the kernel won't recognize them). If you have this issue, you'll need to run setfiles as root in a special domain, setfiles_mac_t, that is allowed to set contexts unknown to the host policy, and likely chrooted so that it doesn't ask the kernel whether the contexts are valid via /sys/fs/selinux/context. That is how livecd-creator supported creating images for other releases. It would help to know what kinds of "mislabelings" you are encountering on the offline system when it is booted, e.g. what files were mislabeled, what contexts were they supposed to have and what contexts did they have, and were these cases where the host file_contexts differed from the offline system file_contexts. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-05 6:54 ` Jason Zaman 2015-08-05 12:37 ` Stephen Smalley @ 2015-08-12 1:02 ` Bond Masuda 2015-08-12 3:37 ` Bond Masuda 1 sibling, 1 reply; 10+ messages in thread From: Bond Masuda @ 2015-08-12 1:02 UTC (permalink / raw) To: selinux On 08/04/2015 11:54 PM, Jason Zaman wrote: > On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: >> Hello, >> >> Normally, if I need to ensure that all the SELinux file contexts are >> correct, I run: >> >> restorecon -R -v / >> >> However, in the current situation, I need to do that on a system that is >> offline, where I have it's root and entire file system mounted under >> /mnt. I tried: >> >> chroot /mnt /usr/sbin/restorecon -R -v /mnt >> >> hoping it would have the same effect, but it does not appear to. When I >> boot the offline system, it shows a lot of SELinux mislabelings. >> >> Is there a way to fix SELinux file contexts of another system while it >> is offline? >> >> Thanks for any help... >> -Bond > Look at setfiles, you want something like this: > > setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ > > from setfiles(8): > -r rootpath > use an alternate root path. > > -- Jason Thanks to your hint and the other replies, I was able to use setfiles to solve most of the labeling issues. However, there are a few remaining problems. I also learned that setfiles doesn't seem to traverse distinct filesystems, so I had to iterate through the list of filesystems mounted under /mnt and iterate through each fcontext file. What remains after all this are the following that remain mislabeled: [root@localhost /]# restorecon -v -n -r / restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0 restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 I looked through the fcontexts files, and sure enough, they are mislabeled: [root@localhost files]# pwd /etc/selinux/targeted/contexts/files [root@localhost files]# grep -E "tzdata-update|/sbin/shutdown|/sbin/consoletype" * file_contexts:/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 file_contexts:/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0 file_contexts:/usr/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 file_contexts:/usr/sbin/tzdata-update -- system_u:object_r:tzdata_exec_t:s0 The way I'm running setfiles is basically like this: chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e /selinux /etc/selinux/targeted/contexts/files/file_contexts / But iterating through each filesystem under "/" (in the chroot /mnt/test). Can anyone help me explain why the 5 file paths above remain mislabeled after running setfiles? Thanks, -Bond ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-12 1:02 ` Bond Masuda @ 2015-08-12 3:37 ` Bond Masuda 2015-08-12 8:46 ` 答复: " rowan 2015-08-12 9:07 ` Bond Masuda 0 siblings, 2 replies; 10+ messages in thread From: Bond Masuda @ 2015-08-12 3:37 UTC (permalink / raw) To: selinux So, further troubleshooting this myself, I found these errors from 'setfiles': /sbin/setfiles reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 /sbin/setfiles set context /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0 failed:'Invalid argument' /sbin/setfiles reset /sbin/pam_timestamp_check context system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0 /sbin/setfiles reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 /sbin/setfiles set context /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid argument' /sbin/setfiles reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 /sbin/setfiles set context /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0 failed:'Invalid argument' I'm guessing this is because the "host" system doesn't have these types in it's own policy? The "host" is a Fedora 21 system, while the system mounted in /mnt/test is a CentOS6 system. Grepping the "types" above that give "invalid argument" on the host's file_context* files indeed comes up empty. So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to run setfiles so it doesn't require the type to be one that is loaded in the host's SELinux policy? How do I use runcon? I tried: # chroot /mnt/test /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc -e /sys -e /dev -e /selinux /etc/selinux/targeted/contexts/files/file_contexts / /usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel Or, trying the -r option in setfiles: # /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc -e /sys -e /dev -e /selinux -r /mnt/test /mnt/test/etc/selinux/targeted/contexts/files/file_contexts /mnt/test /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 762 has invalid context system_u:object_r:hald_log_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 763 has invalid context system_u:object_r:hald_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 827 has invalid context system_u:object_r:hald_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 855 has invalid context system_u:object_r:hotplug_etc_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 856 has invalid context system_u:object_r:hotplug_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 880 has invalid context system_u:object_r:hald_var_lib_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 883 has invalid context system_u:object_r:l2tp_etc_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 915 has invalid context system_u:object_r:hald_log_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 1009 has invalid context system_u:object_r:hald_var_run_t:s0 Exiting after 10 errors. Not sure I understand these errors? Please help? -Bond On 08/11/2015 06:02 PM, Bond Masuda wrote: > > On 08/04/2015 11:54 PM, Jason Zaman wrote: >> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: >>> Hello, >>> >>> Normally, if I need to ensure that all the SELinux file contexts are >>> correct, I run: >>> >>> restorecon -R -v / >>> >>> However, in the current situation, I need to do that on a system that is >>> offline, where I have it's root and entire file system mounted under >>> /mnt. I tried: >>> >>> chroot /mnt /usr/sbin/restorecon -R -v /mnt >>> >>> hoping it would have the same effect, but it does not appear to. When I >>> boot the offline system, it shows a lot of SELinux mislabelings. >>> >>> Is there a way to fix SELinux file contexts of another system while it >>> is offline? >>> >>> Thanks for any help... >>> -Bond >> Look at setfiles, you want something like this: >> >> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ >> >> from setfiles(8): >> -r rootpath >> use an alternate root path. >> >> -- Jason > Thanks to your hint and the other replies, I was able to use setfiles to > solve most of the labeling issues. However, there are a few remaining > problems. > > I also learned that setfiles doesn't seem to traverse distinct > filesystems, so I had to iterate through the list of filesystems mounted > under /mnt and iterate through each fcontext file. What remains after > all this are the following that remain mislabeled: > > [root@localhost /]# restorecon -v -n -r / > restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0 > restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 > restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 > restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 > restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 > > I looked through the fcontexts files, and sure enough, they are mislabeled: > > [root@localhost files]# pwd > /etc/selinux/targeted/contexts/files > [root@localhost files]# grep -E > "tzdata-update|/sbin/shutdown|/sbin/consoletype" * > file_contexts:/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 > file_contexts:/sbin/consoletype -- > system_u:object_r:consoletype_exec_t:s0 > file_contexts:/usr/sbin/shutdown -- > system_u:object_r:shutdown_exec_t:s0 > file_contexts:/usr/sbin/tzdata-update -- > system_u:object_r:tzdata_exec_t:s0 > > The way I'm running setfiles is basically like this: > > chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e > /selinux /etc/selinux/targeted/contexts/files/file_contexts / > > But iterating through each filesystem under "/" (in the chroot /mnt/test). > > Can anyone help me explain why the 5 file paths above remain mislabeled > after running setfiles? > > Thanks, > -Bond > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 10+ messages in thread
* 答复: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-12 3:37 ` Bond Masuda @ 2015-08-12 8:46 ` rowan 2015-08-12 9:07 ` Bond Masuda 1 sibling, 0 replies; 10+ messages in thread From: rowan @ 2015-08-12 8:46 UTC (permalink / raw) To: 'Bond Masuda', selinux Bond, In my option, files contexts must corwork with the selinux policy running on the host. So, we must figure out the purpose of "relabel file contexts of an offline system's". Fir: The offline system mounted on a host and worked as file system let the host to read/write. Sec: The offline system will be booting up as a OS, we just use the host to calculate the contexts. E.g. embedded. For fir: Just do as Stephen said, rather than 'chroot'. >> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ >> >> from setfiles(8): >> -r rootpath >> use an alternate root path. arg the last '/mnt/' is where setfiles start to work on '-r /mnt/' alternate means, when match files in sepcfile[file_contexts],no need to match the '/mnt/' part, skip it. For sec: I'm not very sure how to do it. May be need three steps 1,chroot 2,reload selinux policy, policy on the offline system. 3,do setfiles. May be you can just booting from the offline system on the host, and do a autorelabel. Thanks rowan -----邮件原件----- 发件人: Selinux [mailto:selinux-bounces@tycho.nsa.gov] 代表 Bond Masuda 发送时间: 2015年8月12日 11:37 收件人: selinux@tycho.nsa.gov 主题: Re: How do you relabel all SELinux file contexts of an offline system's file system? So, further troubleshooting this myself, I found these errors from 'setfiles': /sbin/setfiles reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 /sbin/setfiles set context /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0 failed:'Invalid argument' /sbin/setfiles reset /sbin/pam_timestamp_check context system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0 /sbin/setfiles reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 /sbin/setfiles set context /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid argument' /sbin/setfiles reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 /sbin/setfiles set context /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0 failed:'Invalid argument' I'm guessing this is because the "host" system doesn't have these types in it's own policy? The "host" is a Fedora 21 system, while the system mounted in /mnt/test is a CentOS6 system. Grepping the "types" above that give "invalid argument" on the host's file_context* files indeed comes up empty. So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to run setfiles so it doesn't require the type to be one that is loaded in the host's SELinux policy? How do I use runcon? I tried: # chroot /mnt/test /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc -e /sys -e /dev -e /selinux /etc/selinux/targeted/contexts/files/file_contexts / /usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel Or, trying the -r option in setfiles: # /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc -e /sys -e /dev -e /selinux -r /mnt/test /mnt/test/etc/selinux/targeted/contexts/files/file_contexts /mnt/test /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 762 has invalid context system_u:object_r:hald_log_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 763 has invalid context system_u:object_r:hald_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 827 has invalid context system_u:object_r:hald_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 855 has invalid context system_u:object_r:hotplug_etc_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 856 has invalid context system_u:object_r:hotplug_var_run_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 880 has invalid context system_u:object_r:hald_var_lib_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 883 has invalid context system_u:object_r:l2tp_etc_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 915 has invalid context system_u:object_r:hald_log_t:s0 /mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 1009 has invalid context system_u:object_r:hald_var_run_t:s0 Exiting after 10 errors. Not sure I understand these errors? Please help? -Bond On 08/11/2015 06:02 PM, Bond Masuda wrote: > > On 08/04/2015 11:54 PM, Jason Zaman wrote: >> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: >>> Hello, >>> >>> Normally, if I need to ensure that all the SELinux file contexts are >>> correct, I run: >>> >>> restorecon -R -v / >>> >>> However, in the current situation, I need to do that on a system >>> that is offline, where I have it's root and entire file system >>> mounted under /mnt. I tried: >>> >>> chroot /mnt /usr/sbin/restorecon -R -v /mnt >>> >>> hoping it would have the same effect, but it does not appear to. >>> When I boot the offline system, it shows a lot of SELinux mislabelings. >>> >>> Is there a way to fix SELinux file contexts of another system while >>> it is offline? >>> >>> Thanks for any help... >>> -Bond >> Look at setfiles, you want something like this: >> >> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts >> /mnt/ >> >> from setfiles(8): >> -r rootpath >> use an alternate root path. >> >> -- Jason > Thanks to your hint and the other replies, I was able to use setfiles > to solve most of the labeling issues. However, there are a few > remaining problems. > > I also learned that setfiles doesn't seem to traverse distinct > filesystems, so I had to iterate through the list of filesystems > mounted under /mnt and iterate through each fcontext file. What > remains after all this are the following that remain mislabeled: > > [root@localhost /]# restorecon -v -n -r / restorecon reset / context > system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0 > restorecon reset /usr/sbin/tzdata-update context > system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 > restorecon reset /sbin/shutdown context > system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 > restorecon reset /sbin/consoletype context > system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 > restorecon reset /.autofsck context > system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 > > I looked through the fcontexts files, and sure enough, they are mislabeled: > > [root@localhost files]# pwd > /etc/selinux/targeted/contexts/files > [root@localhost files]# grep -E > "tzdata-update|/sbin/shutdown|/sbin/consoletype" * > file_contexts:/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 > file_contexts:/sbin/consoletype -- > system_u:object_r:consoletype_exec_t:s0 > file_contexts:/usr/sbin/shutdown -- > system_u:object_r:shutdown_exec_t:s0 > file_contexts:/usr/sbin/tzdata-update -- > system_u:object_r:tzdata_exec_t:s0 > > The way I'm running setfiles is basically like this: > > chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e > /selinux /etc/selinux/targeted/contexts/files/file_contexts / > > But iterating through each filesystem under "/" (in the chroot /mnt/test). > > Can anyone help me explain why the 5 file paths above remain > mislabeled after running setfiles? > > Thanks, > -Bond > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa. gov. _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-12 3:37 ` Bond Masuda 2015-08-12 8:46 ` 答复: " rowan @ 2015-08-12 9:07 ` Bond Masuda 2015-08-13 13:23 ` Stephen Smalley 1 sibling, 1 reply; 10+ messages in thread From: Bond Masuda @ 2015-08-12 9:07 UTC (permalink / raw) To: selinux On 08/11/2015 08:37 PM, Bond Masuda wrote: > So, further troubleshooting this myself, I found these errors from > 'setfiles': > > /sbin/setfiles reset /usr/sbin/tzdata-update context > system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 > /sbin/setfiles set context > /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0 > failed:'Invalid argument' > /sbin/setfiles reset /sbin/pam_timestamp_check context > system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0 > /sbin/setfiles reset /sbin/shutdown context > system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 > /sbin/setfiles set context > /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid > argument' > /sbin/setfiles reset /sbin/consoletype context > system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 > /sbin/setfiles set context > /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0 > failed:'Invalid argument' > > I'm guessing this is because the "host" system doesn't have these types > in it's own policy? The "host" is a Fedora 21 system, while the system > mounted in /mnt/test is a CentOS6 system. > > Grepping the "types" above that give "invalid argument" on the host's > file_context* files indeed comes up empty. > > So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to > run setfiles so it doesn't require the type to be one that is loaded in > the host's SELinux policy? > > How do I use runcon? I tried: > Ok, figured this one out mostly, I think. Thanks to manpage setfiles_selinux, I first had to set setfiles_mac_t to permissive with: semanage permissive -a setfiles_mac_t Then, I ran the setfiles commands under runcon as: runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e /selinux /etc/selinux/targeted/contexts/files/file_contexts / This fixes the previous "invalid argument" errors from setfiles. With this process, there are still 2 labels that are wrong: [root@localhost ~]# restorecon -v -n -r / restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0 restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 I think the /.autofsck is getting created during boot, and maybe just inheriting from /. So, the question is why is / (root) still labeled as mnt_t instead of root_t ? When the system is still mounted under /mnt/test, /mnt/test (where / of the system is mounted) is correctly labeled as root_t, but this seems to change once unmounted and i boot the offline system? Any insights? -Bond ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-12 9:07 ` Bond Masuda @ 2015-08-13 13:23 ` Stephen Smalley 2015-08-17 23:27 ` Bond Masuda 0 siblings, 1 reply; 10+ messages in thread From: Stephen Smalley @ 2015-08-13 13:23 UTC (permalink / raw) To: Bond Masuda, selinux On 08/12/2015 05:07 AM, Bond Masuda wrote: > > On 08/11/2015 08:37 PM, Bond Masuda wrote: >> So, further troubleshooting this myself, I found these errors from >> 'setfiles': >> >> /sbin/setfiles reset /usr/sbin/tzdata-update context >> system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 >> /sbin/setfiles set context >> /usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0 >> failed:'Invalid argument' >> /sbin/setfiles reset /sbin/pam_timestamp_check context >> system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0 >> /sbin/setfiles reset /sbin/shutdown context >> system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 >> /sbin/setfiles set context >> /sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid >> argument' >> /sbin/setfiles reset /sbin/consoletype context >> system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 >> /sbin/setfiles set context >> /sbin/consoletype->system_u:object_r:consoletype_exec_t:s0 >> failed:'Invalid argument' >> >> I'm guessing this is because the "host" system doesn't have these types >> in it's own policy? The "host" is a Fedora 21 system, while the system >> mounted in /mnt/test is a CentOS6 system. >> >> Grepping the "types" above that give "invalid argument" on the host's >> file_context* files indeed comes up empty. >> >> So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to >> run setfiles so it doesn't require the type to be one that is loaded in >> the host's SELinux policy? >> >> How do I use runcon? I tried: >> > > Ok, figured this one out mostly, I think. Thanks to manpage > setfiles_selinux, I first had to set setfiles_mac_t to permissive with: > > semanage permissive -a setfiles_mac_t That suggests that setfiles_mac_t policy needs to be augmented with further allow rules; you can tell which ones based on ausearch -m AVC -se setfiles_mac_t > Then, I ran the setfiles commands under runcon as: > > runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e > /sys -e /dev -e /selinux > /etc/selinux/targeted/contexts/files/file_contexts / > > This fixes the previous "invalid argument" errors from setfiles. I think those errors reflect a bug/gap in setfiles. Usually setfiles validates and canonicalizes the contexts in file_contexts by writing them to /sys/fs/selinux/context (a pseudo file) and reading back the result. This will fail if selinuxfs is mounted in your chroot and your host policy doesn't define the context. If selinuxfs is not mounted in your chroot, then this will just create a regular file under /sys/fs/selinux/context containing the context and read it back again, so it will "pass". I'm guessing that it was failing in enforcing mode because it wasn't allowed to create files under /sys/fs/selinux in the chroot. I think we need a change to setfiles (e.g. a new option) to fully disable this validation/canonicalization. With > this process, there are still 2 labels that are wrong: > > [root@localhost ~]# restorecon -v -n -r / > restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0 > restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 > > I think the /.autofsck is getting created during boot, and maybe just > inheriting from /. So, the question is why is / (root) still labeled as > mnt_t instead of root_t ? When the system is still mounted under > /mnt/test, /mnt/test (where / of the system is mounted) is correctly > labeled as root_t, but this seems to change once unmounted and i boot > the offline system? > > Any insights? No, that seems very strange. How did you check the context of /mnt/root before unmounting it? Try checking it this way: runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root And likewise, once you unmount and reboot the offline system, try it as: runcon -t setfiles_mac_t -- getfattr -n security.selinux / ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-13 13:23 ` Stephen Smalley @ 2015-08-17 23:27 ` Bond Masuda 2015-08-18 12:43 ` Daniel J Walsh 0 siblings, 1 reply; 10+ messages in thread From: Bond Masuda @ 2015-08-17 23:27 UTC (permalink / raw) To: Stephen Smalley, selinux On 08/13/2015 06:23 AM, Stephen Smalley wrote: >> >> Ok, figured this one out mostly, I think. Thanks to manpage >> setfiles_selinux, I first had to set setfiles_mac_t to permissive with: >> >> semanage permissive -a setfiles_mac_t > That suggests that setfiles_mac_t policy needs to be augmented with > further allow rules; you can tell which ones based on ausearch -m AVC > -se setfiles_mac_t > Ok. so on Fedora 21, (using selinux-policy-targeted-3.13.1-105.20.fc21.noarch), it looks like I need this: # ausearch -m AVC -se setfiles_mac_t | audit2allow #============= setfiles_mac_t ============== allow setfiles_mac_t bin_t:file entrypoint; >> Then, I ran the setfiles commands under runcon as: >> >> runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e >> /sys -e /dev -e /selinux >> /etc/selinux/targeted/contexts/files/file_contexts / >> >> This fixes the previous "invalid argument" errors from setfiles. > I think those errors reflect a bug/gap in setfiles. Usually setfiles > validates and canonicalizes the contexts in file_contexts by writing > them to /sys/fs/selinux/context (a pseudo file) and reading back the > result. This will fail if selinuxfs is mounted in your chroot and your > host policy doesn't define the context. If selinuxfs is not mounted in > your chroot, then this will just create a regular file under > /sys/fs/selinux/context containing the context and read it back again, > so it will "pass". I'm guessing that it was failing in enforcing mode > because it wasn't allowed to create files under /sys/fs/selinux in the > chroot. I think we need a change to setfiles (e.g. a new option) to > fully disable this validation/canonicalization. That would seem useful in my use-case. > >> this process, there are still 2 labels that are wrong: >> >> [root@localhost ~]# restorecon -v -n -r / >> restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0 >> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 >> >> I think the /.autofsck is getting created during boot, and maybe just >> inheriting from /. So, the question is why is / (root) still labeled as >> mnt_t instead of root_t ? When the system is still mounted under >> /mnt/test, /mnt/test (where / of the system is mounted) is correctly >> labeled as root_t, but this seems to change once unmounted and i boot >> the offline system? >> >> Any insights? > No, that seems very strange. How did you check the context of /mnt/root > before unmounting it? Try checking it this way: > runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root > > And likewise, once you unmount and reboot the offline system, try it as: > runcon -t setfiles_mac_t -- getfattr -n security.selinux / > This turned out to be an error due to an external process. The labeling of /mnt/root is in fact correct. We are building a system in /mnt/root, and when we use the recovery boot option from the install DVD, it appears to relabel / to mnt_t. We did this in order to setup grub in the bootsector. We noticed this because when we automated the grub-install w/o using the recovery DVD, / was labeled correctly as expected. Thanks for your help! -Bond ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: How do you relabel all SELinux file contexts of an offline system's file system? 2015-08-17 23:27 ` Bond Masuda @ 2015-08-18 12:43 ` Daniel J Walsh 0 siblings, 0 replies; 10+ messages in thread From: Daniel J Walsh @ 2015-08-18 12:43 UTC (permalink / raw) To: Bond Masuda, Stephen Smalley, selinux On my Fedora 24 system, I see sesearch -A -s setfiles_mac_t -p entrypoint -c file -C Found 1 semantic av rules: allow setfiles_mac_t setfiles_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; chcon -t setfiles_exec_t to the program would be better. On 08/17/2015 04:27 PM, Bond Masuda wrote: > > On 08/13/2015 06:23 AM, Stephen Smalley wrote: >>> Ok, figured this one out mostly, I think. Thanks to manpage >>> setfiles_selinux, I first had to set setfiles_mac_t to permissive with: >>> >>> semanage permissive -a setfiles_mac_t >> That suggests that setfiles_mac_t policy needs to be augmented with >> further allow rules; you can tell which ones based on ausearch -m AVC >> -se setfiles_mac_t >> > Ok. so on Fedora 21, (using > selinux-policy-targeted-3.13.1-105.20.fc21.noarch), it looks like I need > this: > > # ausearch -m AVC -se setfiles_mac_t | audit2allow > > > #============= setfiles_mac_t ============== > allow setfiles_mac_t bin_t:file entrypoint; > > >>> Then, I ran the setfiles commands under runcon as: >>> >>> runcon -t setfiles_mac_t -- chroot /mnt /sbin/setfiles -v -F -e /proc -e >>> /sys -e /dev -e /selinux >>> /etc/selinux/targeted/contexts/files/file_contexts / >>> >>> This fixes the previous "invalid argument" errors from setfiles. >> I think those errors reflect a bug/gap in setfiles. Usually setfiles >> validates and canonicalizes the contexts in file_contexts by writing >> them to /sys/fs/selinux/context (a pseudo file) and reading back the >> result. This will fail if selinuxfs is mounted in your chroot and your >> host policy doesn't define the context. If selinuxfs is not mounted in >> your chroot, then this will just create a regular file under >> /sys/fs/selinux/context containing the context and read it back again, >> so it will "pass". I'm guessing that it was failing in enforcing mode >> because it wasn't allowed to create files under /sys/fs/selinux in the >> chroot. I think we need a change to setfiles (e.g. a new option) to >> fully disable this validation/canonicalization. > That would seem useful in my use-case. >>> this process, there are still 2 labels that are wrong: >>> >>> [root@localhost ~]# restorecon -v -n -r / >>> restorecon reset / context system_u:runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/rootobject_r:mnt_t:s0->system_u:object_r:root_t:s0 >>> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 >>> >>> I think the /.autofsck is getting created during boot, and maybe just >>> inheriting from /. So, the question is why is / (root) still labeled as >>> mnt_t instead of root_t ? When the system is still mounted under >>> /mnt/test, /mnt/test (where / of the system is mounted) is correctly >>> labeled as root_t, but this seems to change once unmounted and i boot >>> the offline system? >>> >>> Any insights? >> No, that seems very strange. How did you check the context of /mnt/root >> before unmounting it? Try checking it this way: >> runcon -t setfiles_mac_t -- getfattr -n security.selinux /mnt/root >> >> And likewise, once you unmount and reboot the offline system, try it as: >> runcon -t setfiles_mac_t -- getfattr -n security.selinux / >> > This turned out to be an error due to an external process. The labeling > of /mnt/root is in fact correct. We are building a system in /mnt/root, > and when we use the recovery boot option from the install DVD, it > appears to relabel / to mnt_t. We did this in order to setup grub in the > bootsector. We noticed this because when we automated the grub-install > w/o using the recovery DVD, / was labeled correctly as expected. > > Thanks for your help! > -Bond > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-08-18 12:43 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-08-04 22:33 How do you relabel all SELinux file contexts of an offline system's file system? Bond Masuda 2015-08-05 6:54 ` Jason Zaman 2015-08-05 12:37 ` Stephen Smalley 2015-08-12 1:02 ` Bond Masuda 2015-08-12 3:37 ` Bond Masuda 2015-08-12 8:46 ` 答复: " rowan 2015-08-12 9:07 ` Bond Masuda 2015-08-13 13:23 ` Stephen Smalley 2015-08-17 23:27 ` Bond Masuda 2015-08-18 12:43 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.