Bug 2061680

Summary: systemd creates mislabeled files on boot
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: dtardon, lvrabec, mmalik, nknazeko, ssekidde, systemd-maint-list, yuwatana
Target Milestone: rcKeywords: Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.31-2.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-03-08 10:09:18 UTC 
Description of problem:
After a fresh RHEL 9.0 Beta installation and initial boot there are two mislabeled files created by systemd present:

# restorecon -Rv /
Relabeled /etc/systemd/network/71-net-ifnames-prefix-net0.link from system_u:object_r:systemd_hwdb_etc_t:s0 to system_u:object_r:etc_t:s0
Relabeled /run/machine-id from system_u:object_r:machineid_t:s0 to system_u:object_r:var_run_t:s0

It would be nice to have the labels changed where needed so that restorecon wouldn't change anything. Thanks.

Version-Release number of selected component (if applicable):
RHEL 9.0 Beta
Comment 1 David Tardon 2022-03-08 12:23:17 UTC 
(In reply to Marko Myllynen from comment #0)
> Description of problem:
> After a fresh RHEL 9.0 Beta installation and initial boot there are two
> mislabeled files created by systemd present:
> 
> # restorecon -Rv /
> Relabeled /etc/systemd/network/71-net-ifnames-prefix-net0.link from
> system_u:object_r:systemd_hwdb_etc_t:s0 to system_u:object_r:etc_t:s0

This one is actually created by prefixdevname, not by systemd; I created bug 2061725 for it.

> Relabeled /run/machine-id from system_u:object_r:machineid_t:s0 to
> system_u:object_r:var_run_t:s0

I'm not sure we can do anything about this one. AFAICS, /run/machine-id is only created if /etc/machine-id failed to be created for any reason, and it is then bind-mounted to /etc/machine-id. That means that /etc/machine-id and /run/machine-id share the same selinux label and a change made on one of them will just make the other one wrong...
Comment 2 Yu Watanabe 2022-03-08 12:27:58 UTC 
> /etc/systemd/network/71-net-ifnames-prefix-net0.link

Yeah, as already David commented, the file is not generated by systemd.
Comment 3 David Tardon 2022-03-16 18:42:25 UTC 
(In reply to David Tardon from comment #1)
> AFAICS, /run/machine-id is
> only created if /etc/machine-id failed to be created for any reason, and it
> is then bind-mounted to /etc/machine-id.

... which means that /run/machine-id has to have the same default label as /etc/machine id -> passing over to selinux-policy.
Comment 5 Zdenek Pytela 2022-04-28 11:11:43 UTC 
To backport:
commit e5475f58e40de965ecd4dcf8820a72f10b46e002 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu Apr 28 10:14:51 2022 +0200

    Label /var/run/machine-id as machineid_t
Comment 14 errata-xmlrpc 2022-11-15 11:13:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283