From: Bond Masuda <bond.masuda@jlbond.com>
To: selinux@tycho.nsa.gov
Subject: Re: How do you relabel all SELinux file contexts of an offline system's file system?
Date: Tue, 11 Aug 2015 20:37:17 -0700 [thread overview]
Message-ID: <55CABF6D.70408@jlbond.com> (raw)
In-Reply-To: <55CA9B0E.9050109@jlbond.com>
So, further troubleshooting this myself, I found these errors from
'setfiles':
/sbin/setfiles reset /usr/sbin/tzdata-update context
system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
/sbin/setfiles set context
/usr/sbin/tzdata-update->system_u:object_r:tzdata_exec_t:s0
failed:'Invalid argument'
/sbin/setfiles reset /sbin/pam_timestamp_check context
system_u:object_r:pam_timestamp_exec_t:s0->system_u:object_r:pam_exec_t:s0
/sbin/setfiles reset /sbin/shutdown context
system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
/sbin/setfiles set context
/sbin/shutdown->system_u:object_r:shutdown_exec_t:s0 failed:'Invalid
argument'
/sbin/setfiles reset /sbin/consoletype context
system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
/sbin/setfiles set context
/sbin/consoletype->system_u:object_r:consoletype_exec_t:s0
failed:'Invalid argument'
I'm guessing this is because the "host" system doesn't have these types
in it's own policy? The "host" is a Fedora 21 system, while the system
mounted in /mnt/test is a CentOS6 system.
Grepping the "types" above that give "invalid argument" on the host's
file_context* files indeed comes up empty.
So, I'm guessing this is where I need to use runcon -t setfiles_mac_t to
run setfiles so it doesn't require the type to be one that is loaded in
the host's SELinux policy?
How do I use runcon? I tried:
# chroot /mnt/test /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles
-v -n -F -e /proc -e /sys -e /dev -e /selinux
/etc/selinux/targeted/contexts/files/file_contexts /
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel
Or, trying the -r option in setfiles:
# /usr/bin/runcon -t setfiles_mac_t -- /sbin/setfiles -v -n -F -e /proc
-e /sys -e /dev -e /selinux -r /mnt/test
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts /mnt/test
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 762
has invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 763
has invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 827
has invalid context system_u:object_r:hald_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 855
has invalid context system_u:object_r:hotplug_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 856
has invalid context system_u:object_r:hotplug_var_run_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 880
has invalid context system_u:object_r:hald_var_lib_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 883
has invalid context system_u:object_r:l2tp_etc_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 915
has invalid context system_u:object_r:hald_log_t:s0
/mnt/test/etc/selinux/targeted/contexts/files/file_contexts: line 1009
has invalid context system_u:object_r:hald_var_run_t:s0
Exiting after 10 errors.
Not sure I understand these errors?
Please help?
-Bond
On 08/11/2015 06:02 PM, Bond Masuda wrote:
>
> On 08/04/2015 11:54 PM, Jason Zaman wrote:
>> On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote:
>>> Hello,
>>>
>>> Normally, if I need to ensure that all the SELinux file contexts are
>>> correct, I run:
>>>
>>> restorecon -R -v /
>>>
>>> However, in the current situation, I need to do that on a system that is
>>> offline, where I have it's root and entire file system mounted under
>>> /mnt. I tried:
>>>
>>> chroot /mnt /usr/sbin/restorecon -R -v /mnt
>>>
>>> hoping it would have the same effect, but it does not appear to. When I
>>> boot the offline system, it shows a lot of SELinux mislabelings.
>>>
>>> Is there a way to fix SELinux file contexts of another system while it
>>> is offline?
>>>
>>> Thanks for any help...
>>> -Bond
>> Look at setfiles, you want something like this:
>>
>> setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/
>>
>> from setfiles(8):
>> -r rootpath
>> use an alternate root path.
>>
>> -- Jason
> Thanks to your hint and the other replies, I was able to use setfiles to
> solve most of the labeling issues. However, there are a few remaining
> problems.
>
> I also learned that setfiles doesn't seem to traverse distinct
> filesystems, so I had to iterate through the list of filesystems mounted
> under /mnt and iterate through each fcontext file. What remains after
> all this are the following that remain mislabeled:
>
> [root@localhost /]# restorecon -v -n -r /
> restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0
> restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0
> restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0
> restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0
> restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0
>
> I looked through the fcontexts files, and sure enough, they are mislabeled:
>
> [root@localhost files]# pwd
> /etc/selinux/targeted/contexts/files
> [root@localhost files]# grep -E
> "tzdata-update|/sbin/shutdown|/sbin/consoletype" *
> file_contexts:/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0
> file_contexts:/sbin/consoletype --
> system_u:object_r:consoletype_exec_t:s0
> file_contexts:/usr/sbin/shutdown --
> system_u:object_r:shutdown_exec_t:s0
> file_contexts:/usr/sbin/tzdata-update --
> system_u:object_r:tzdata_exec_t:s0
>
> The way I'm running setfiles is basically like this:
>
> chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e
> /selinux /etc/selinux/targeted/contexts/files/file_contexts /
>
> But iterating through each filesystem under "/" (in the chroot /mnt/test).
>
> Can anyone help me explain why the 5 file paths above remain mislabeled
> after running setfiles?
>
> Thanks,
> -Bond
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
next prev parent reply other threads:[~2015-08-12 3:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 22:33 How do you relabel all SELinux file contexts of an offline system's file system? Bond Masuda
2015-08-05 6:54 ` Jason Zaman
2015-08-05 12:37 ` Stephen Smalley
2015-08-12 1:02 ` Bond Masuda
2015-08-12 3:37 ` Bond Masuda [this message]
2015-08-12 8:46 ` 答复: " rowan
2015-08-12 9:07 ` Bond Masuda
2015-08-13 13:23 ` Stephen Smalley
2015-08-17 23:27 ` Bond Masuda
2015-08-18 12:43 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55CABF6D.70408@jlbond.com \
--to=bond.masuda@jlbond.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.