Getting abnormal SELinux context after chroot install

Support for security such as Firewalls and securing linux
Post Reply
theoriginalguru
Posts: 13
Joined: 2009/04/10 08:08:31

Getting abnormal SELinux context after chroot install

Post by theoriginalguru » 2016/06/22 17:58:50

I'm installing CentOS 7 in a chroot'd environment to build new images of CentOS 7 for a private cloud environment. I've done this successfully before with CentOS 6 and we have an automated process of doing that now. I'm now porting our process to do similarly for CentOS 7. However, after our process is complete, certain directories/symlinks have abnormal SELinux contexts assigned to them. This causes the system to fail to boot since we have SELinux enforcing by default and one of the problematic symlinks is /lib64.

Here is what we see in the CentOS 7 build tree root directory, right after a fresh install of CentOS 7 from the full updates repo:

Code: Select all

# ls -alZ /
dr-xr-xr-x. root root system_u:object_r:root_t:s0      .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..
drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0      boot
drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0       etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
lrwxrwxrwx. root root /usr/lib                         lib -> usr/lib
lrwxrwxrwx. root root /usr/lib                         lib64 -> usr/lib64
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       media
drwxr-xr-x. root root system_u:object_r:mnt_t:s0       mnt
drwxr-xr-x. root root system_u:object_r:usr_t:s0       opt
drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 proc
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
drwxr-xr-x. root root /var/run                         run
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       sbin -> usr/sbin
drwxr-xr-x. root root system_u:object_r:var_t:s0       srv
drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 sys
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       tmp
drwxr-xr-x. root root system_u:object_r:usr_t:s0       usr
drwxr-xr-x. root root system_u:object_r:var_t:s0       var
As you can see, the SELinux context for "lib", is "/usr/lib"!!! and similarly, for "lib64", it is "/usr/lib" ... those are not even valid context labels!

How can an invalid string like "/usr/lib" even be assigned as a SELinux label in the first place?

I can workaround this with a manual fix using 'chcon system_u:object_r:type_label:s0 path', but I'm just wondering how this can happen in the first place?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Getting abnormal SELinux context after chroot install

Post by TrevorH » 2016/06/22 18:22:47

No idea about the problem but the best fix would be to touch /.autorelabel and have it run a relabel on first boot. Might need to be in permissive mode to let that complete properly.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

win32asm
Posts: 1
Joined: 2017/05/09 01:05:27

Re: Getting abnormal SELinux context after chroot install

Post by win32asm » 2017/05/09 01:23:35

A bit outdated reply (and probably it`s been fixed since) 8-)
Probably the relabeling tool used all files in /etc/selinux/targeted/contexts/files/ - while it should have used only file_contexts and file_contexts.homedirs
Specifically this error would have showed up if file_contexts.subs_dist would have been used as a spec file for setfiles: utility expects lines of "path selinux_context", and this file holds "path link_path" (e.g. "/lib /usr/lib").

theoriginalguru
Posts: 13
Joined: 2009/04/10 08:08:31

Re: Getting abnormal SELinux context after chroot install

Post by theoriginalguru » 2017/05/10 21:28:36

win32asm wrote:A bit outdated reply (and probably it`s been fixed since) 8-)
Probably the relabeling tool used all files in /etc/selinux/targeted/contexts/files/ - while it should have used only file_contexts and file_contexts.homedirs
Specifically this error would have showed up if file_contexts.subs_dist would have been used as a spec file for setfiles: utility expects lines of "path selinux_context", and this file holds "path link_path" (e.g. "/lib /usr/lib").
Hi win32asm:

I think you might be right. How does SELinux tools determine which files in /etc/selinux/targeted/context/files should be used or not used? When one sets new context settings with 'semanage fcontext...' it creates new files in there. How does it know which files to use or not use?

Post Reply