Bug 1843873 - MLS policy doesn't get applied on boot
Summary: MLS policy doesn't get applied on boot
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: policycoreutils
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Petr Lautrbach
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-04 11:03 UTC by Renaud Métrich
Modified: 2020-06-24 09:39 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-24 09:39:55 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Renaud Métrich 2020-06-04 11:03:13 UTC 
Description of problem:

This is a continuation of BZ #1843870.
Switching the system from Targeted to MLS by editing /etc/selinux/config, executing "fixfiles -B onboot" and booting with "enforcing=0" doesn't apply the policy correctly.

During relabeling, we see a lot of invalid labels (for MLS policy point of view) being untouched:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[    9.461243] SELinux:  Context system_u:object_r:rhsmcertd_config_t:s0 is not valid (left unmapped).
[    9.467703] SELinux:  Context system_u:object_r:fwupd_cert_t:s0 is not valid (left unmapped).
[    9.480796] SELinux:  Context unconfined_u:object_r:system_conf_t:s0 is not valid (left unmapped).
[    9.498028] SELinux:  Context system_u:object_r:rhnsd_conf_t:s0 is not valid (left unmapped).
[    9.514821] SELinux:  Context unconfined_u:object_r:file_context_t:s0 is not valid (left unmapped).
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

After relabeling and boot with "enforcing=0" again (otherwise system isn't usable), "restorecon -Frnv /" command shows tons of files that have not been relabeled:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# restorecon -Frvn / > restorecon.out
# grep "exec_t" restorecon.out
[...]
Would relabel /usr/sbin/rasdaemon from system_u:object_r:rasdaemon_exec_t:s0 to system_u:object_r:bin_t:s0
Would relabel /usr/sbin/kpatch from system_u:object_r:kpatch_exec_t:s0 to system_u:object_r:bin_t:s0
Would relabel /usr/sbin/spice-vdagentd from system_u:object_r:vdagent_exec_t:s0 to system_u:object_r:bin_t:s0
Would relabel /usr/sbin/blkmapd from system_u:object_r:blkmapd_exec_t:s0 to system_u:object_r:bin_t:s0
Would relabel /usr/lib/realmd/realmd from system_u:object_r:realmd_exec_t:s0 to system_u:object_r:lib_t:s0
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Hence, to apply the MLS policy, the admin must apply "restorecon -Frv /" on the system while booting in Permissive mode.


Version-Release number of selected component (if applicable):

policycoreutils-2.9-9.el8.x86_64


How reproducible:

Always

Steps to Reproduce:
1. Install selinux-policy-mls package
2. Edit /etc/selinux/config and move to "mls"
3. Edit /etc/selinux/config and change to Permissive
4. Execute "fixfiles -B onboot"
5. Reboot
Comment 1 Petr Lautrbach 2020-06-04 11:14:22 UTC 
(In reply to Renaud Métrich from comment #0)

> 4. Execute "fixfiles -B onboot"

You should execute:

# fixfiles -F onboot
Comment 2 Renaud Métrich 2020-06-04 11:23:55 UTC 
Sorry, possible I made typos while reproducing.
But this also reproduces with a "touch /.autorelabel" and reboot.

I will double check anyway
Comment 3 Renaud Métrich 2020-06-04 11:27:20 UTC 
I can confirm this doesn't change anything at all.
Comment 4 Petr Lautrbach 2020-06-04 11:32:04 UTC 
"touch /.autorelabel" would not help, you need to push -F inside the file:

"fixfiles -F onboot" is equivalent to "echo -n '-F ' > /.autorelabel"
Comment 5 Renaud Métrich 2020-06-04 11:49:02 UTC 
Indeed "fixfiles -F onboot" helps here.
Note You need to log in before you can comment on or make changes to this bug.