2230349 – BLS snippets in /boot/loader/entries are improperly labeled with "module_object_t" SELinux context

Bug 2230349 - BLS snippets in /boot/loader/entries are improperly labeled with "module_object_t" SELinux context

Summary: BLS snippets in /boot/loader/entries are improperly labeled with "module_obje...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	grub2
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-09 11:02 UTC by Renaud Métrich
Modified:	2023-08-10 14:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-165024	0	None	None	None	2023-08-09 11:03:20 UTC

Description Renaud Métrich 2023-08-09 11:02:24 UTC

Description of problem:

When updating the kernel, the new BLS snippet gets "module_object_t label:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ls -lZ /boot/loader/entries/
[...]
-rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 371 Jun 29 17:25 9d59a9f41c1642b196990576ac8b7846-4.18.0-477.15.1.el8_8.x86_64.conf
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is due to copying the "bls.conf" template from the kernel tree without using "-Z" option to "cp", as seen on line 94 of /usr/lib/kernel/install.d/20-grub.install:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 93             if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
 94                 cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
 95             else
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that RHEL9 implements a different fix using "restorecon", on idea why this complicated code is used:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 65                 rm -f "/boot/${i##*/}-${KERNEL_VERSION}"
 66                 cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
 67                 command -v restorecon &>/dev/null && \
 68                     restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

grub2-common-2.02-148.el8.noarch

How reproducible:

Always

Steps to Reproduce:
1. Install a new kernel

Actual results:

Improper context

Expected results:

Proper "boot_t" context

Note You need to log in before you can comment on or make changes to this bug.