Hide Forgot
I believe that setfattr is not capable of deciding (before it tries to save the value on filesystem) what value is correct or valid or well-formatted from SELinux point of view. No matter if SELinux is enforcing or permissive, the "unlabeled" value will be rejected and the SELINUX_ERR will be generated. If you want to get rid of SELinux errors, please use following command in your TC: rlRun "setfattr -n security.selinux -v system_u:object_r:unlabeled_t:s0 bz1347396" 0 "Setting 'unlabeled' attribute on the testfile" If you want to apply an invalid (because atd_t is a process type, not a file type) but well-formatted label, please use following commands: # setenforce 0 # setfattr -n security.selinux -v system_u:object_r:atd_t:s0 bz1347396 # ls -Z bz1347396 -rw-r--r--. root root system_u:object_r:atd_t:s0 bz1347396 # setenforce 1 # ls -Z bz1347396 -rw-r--r--. root root system_u:object_r:unlabeled_t:s0 bz1347396 # Running the same command as root in a SSH terminal and in a beaker test via beaker harness does not always result in the same SELinux context. The difference is visible in the "*_u" parts of scontext and tcontext: automated run via beaker harness ==== type=AVC msg=audit(1473870156.661:82): avc: denied { mac_admin } for pid=28341 comm="setfattr" capability=33 scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:unconfined_r:unconfined_t:s0 tclass=capability2 manual run in a SSH terminal ==== type=AVC msg=audit(1502961768.137:94): avc: denied { mac_admin } for pid=11470 comm="setfattr" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2