Bug 1393417 - FS_RELABEL audit message does not appear after filesystem relabel
Summary: FS_RELABEL audit message does not appear after filesystem relabel
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: policycoreutils
Version: 6.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-09 13:56 UTC by Milos Malik
Modified: 2016-11-09 15:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-09 15:48:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2016-11-09 13:56:31 UTC 
Description of problem:
* the "fixfiles restore" command generates FS_LABEL audit message on both RHELs
* but the filesystem relabel during reboot does not generate such a message on RHEL-6.8

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-29.el6.x86_64

How reproducible:
* always

Steps to Reproduce:
1. fixfiles restore
2. fixfiles onboot
3. reboot

Actual results on RHEL-6.8:
# ausearch -m fs_relabel -i
----
type=FS_RELABEL msg=audit(11/09/2016 07:54:55.582:197) : user pid=1623 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 msg='op=mass relabel exe=/sbin/setfiles hostname=? addr=? terminal=pts/0 res=success' 
----

Actual results on RHEL-7.3:
# ausearch -m fs_relabel -i
----
type=FS_RELABEL msg=audit(11/09/2016 07:55:02.366:282) : pid=1773 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=mass relabel exe=/usr/sbin/setfiles hostname=? addr=? terminal=pts/0 res=success' 
----
type=FS_RELABEL msg=audit(11/09/2016 07:58:10.386:12) : pid=1143 uid=root auid=unset ses=unset subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe=/usr/sbin/setfiles hostname=? addr=? terminal=console res=success' 
----
Comment 1 Petr Lautrbach 2016-11-09 15:48:41 UTC 
The relabel in rhel-6 happens in rc.sysinit which is run before any service including auditd is started so it can't be logged. The following workaround would fix it but I don't think it's appropriate for this phase of RHEL-6:

# diff -u /etc/rc.d/rc.sysinit.orig /etc/rc.d/rc.sysinit
--- /etc/rc.d/rc.sysinit.orig   2016-11-09 16:46:57.619932397 +0100
+++ /etc/rc.d/rc.sysinit        2016-11-09 16:47:39.088114173 +0100
@@ -525,6 +525,7 @@
 # Check to see if a full relabel is needed
 if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then
     if [ -f /.autorelabel ] || strstr "$cmdline" autorelabel ; then
+       service auditd start
        relabel_selinux
     fi
 else
Note You need to log in before you can comment on or make changes to this bug.