Bug 1393417

Summary: FS_RELABEL audit message does not appear after filesystem relabel
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-09 15:48:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2016-11-09 13:56:31 UTC 
Description of problem:
* the "fixfiles restore" command generates FS_LABEL audit message on both RHELs
* but the filesystem relabel during reboot does not generate such a message on RHEL-6.8

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-29.el6.x86_64

How reproducible:
* always

Steps to Reproduce:
1. fixfiles restore
2. fixfiles onboot
3. reboot

Actual results on RHEL-6.8:
# ausearch -m fs_relabel -i
----
type=FS_RELABEL msg=audit(11/09/2016 07:54:55.582:197) : user pid=1623 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 msg='op=mass relabel exe=/sbin/setfiles hostname=? addr=? terminal=pts/0 res=success' 
----

Actual results on RHEL-7.3:
# ausearch -m fs_relabel -i
----
type=FS_RELABEL msg=audit(11/09/2016 07:55:02.366:282) : pid=1773 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=mass relabel exe=/usr/sbin/setfiles hostname=? addr=? terminal=pts/0 res=success' 
----
type=FS_RELABEL msg=audit(11/09/2016 07:58:10.386:12) : pid=1143 uid=root auid=unset ses=unset subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe=/usr/sbin/setfiles hostname=? addr=? terminal=console res=success' 
----
Comment 1 Petr Lautrbach 2016-11-09 15:48:41 UTC 
The relabel in rhel-6 happens in rc.sysinit which is run before any service including auditd is started so it can't be logged. The following workaround would fix it but I don't think it's appropriate for this phase of RHEL-6:

# diff -u /etc/rc.d/rc.sysinit.orig /etc/rc.d/rc.sysinit
--- /etc/rc.d/rc.sysinit.orig   2016-11-09 16:46:57.619932397 +0100
+++ /etc/rc.d/rc.sysinit        2016-11-09 16:47:39.088114173 +0100
@@ -525,6 +525,7 @@
 # Check to see if a full relabel is needed
 if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then
     if [ -f /.autorelabel ] || strstr "$cmdline" autorelabel ; then
+       service auditd start
        relabel_selinux
     fi
 else