Bug 713417

Summary: /root is labelled system_u:object_r:default_t:s0 after switching to MLS
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: doc-Deployment_GuideAssignee: Martin Prpič <mprpic>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.7CC: dwalsh
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 17:09:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-06-15 11:21:22 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-311.el5
selinux-policy-targeted-2.4.6-311.el5
selinux-policy-mls-2.4.6-311.el5

How reproducible:
always

Steps to Reproduce:
1. get a fresh RHEL-5.7 machine with targeted policy installed
2. log in via console as root
3. yum -y install selinux-policy\* policycoreutils\*
4. replace "SELINUXTYPE=targeted" with "SELINUXTYPE=mls" in /etc/selinux/config
5. add "single enforcing=0" to /boot/grub/grub.conf
6. touch /.autorelabel
7. reboot
8. wait until the machine boots to single-user mode
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# matchpathcon /root
/root	system_u:object_r:default_t:s0
# restorecon -Rv /root
# ls -dZ /root
drwxr-x---  root root system_u:object_r:default_t:s0   root
#

Actual results:
/root is labelled default_t

Expected results:
/root is labelled sysadm_home_dir_t 

Additional information:
The problem is not tied to single-user mode, you can boot directly to runlevel 3 or 5 and you will see the same picture. Everything gets fine as soon as I run "genhomedircon ; restorecon -Rv /root" manually.
Comment 1 Daniel Walsh 2011-06-15 12:58:06 UTC 
I think we have to add this to the docs for MLS.  Not sure how we can fix it other then the user running genhomedircon after switching to mls policy.

I would state it as 

After relabeling run

#genhomedircon
# restorecon -R -v /root /home  ANYOTHERHOMEDIRS
Comment 3 Douglas Silas 2012-01-25 14:54:41 UTC 
Sorry, I meant to shout if I shoutn't...
Comment 4 RHEL Program Management 2012-04-02 11:20:42 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 8 Martin Prpič 2012-08-22 12:39:24 UTC 
Moving to ON_QA. Added an "Enabling MLS in SELinux" which includes an extra step (#6) that was requested do be documented in this bug.