Re: selinux changes: why?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/12/21 09:10 +1100, Nick Urbanik wrote:
On 05/12/21 09:59 -0500, Jonathan Billings wrote:
On Dec 5, 2021, at 05:44, Nick Urbanik <nicku@xxxxxxxxx> wrote:
I am regularly having selinux labels changing.  This should never
happen, but it does quite continuously; many critical executables lose
their correct label, preventing me from logging in without a relabel.

This is Fedora 35, upgraded over quite a few generations of Fedora.
The root file system is ext4 on luks encryption on RAID 1.

Any suggestions on how to troubleshoot and determine the cause?  I've
never had selinux labels decay before.

There is an ongoing problem of decay of selinux labels on this
machine; I would appreciate any suggestions on how to troubleshoot
this I find it alarming.

$ sudo restorecon -rv *
Relabeled /usr/sbin/alsactl from system_u:object_r:bin_t:s0 to system_u:object_r:alsa_exec_t:s0
Relabeled /usr/sbin/ldconfig from system_u:object_r:bin_t:s0 to system_u:object_r:ldconfig_exec_t:s0
Relabeled /usr/sbin/pcscd from system_u:object_r:bin_t:s0 to system_u:object_r:pcscd_exec_t:s0


I’ve never heard of this happening except in cases where file systems were mounted in alternate locations and written to. (For example, a chrooted OS mounted on a livecd)

Maybe it would help if you showed an example of paths and what context you found them in?  Knowing the incorrect context can sometimes help identify what is causing it.
$ sudo restorecon -rv *
Relabeled /etc/cups/client.conf from system_u:object_r:cupsd_etc_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/cups/cupsd.conf.default from system_u:object_r:cupsd_etc_t:s0 to system_u:object_r:cupsd_rw_etc_t:s0
Relabeled /etc/cups/printers.conf from system_u:object_r:cupsd_etc_t:s0 to system_u:object_r:cupsd_rw_etc_t:s0
Relabeled /etc/cups/cupsd.conf.rpmnew from system_u:object_r:cupsd_etc_t:s0 to system_u:object_r:cupsd_rw_etc_t:s0
Relabeled /etc/strongswan/ipsec.secrets from system_u:object_r:ipsec_conf_file_t:s0 to system_u:object_r:ipsec_key_file_t:s0
Relabeled /etc/sysconfig/snapd from system_u:object_r:etc_t:s0 to system_u:object_r:snappy_config_t:s0
$ sudo restorecon -rv *
Relabeled /usr/sbin/charon-systemd from system_u:object_r:bin_t:s0 to system_u:object_r:ipsec_exec_t:s0
Relabeled /usr/sbin/chpasswd from system_u:object_r:bin_t:s0 to system_u:object_r:passwd_exec_t:s0
Relabeled /usr/sbin/cryptsetup from system_u:object_r:bin_t:s0 to system_u:object_r:lvm_exec_t:s0
Relabeled /usr/sbin/cupsd from system_u:object_r:bin_t:s0 to system_u:object_r:cupsd_exec_t:s0
Relabeled /usr/sbin/fsck.btrfs from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0
Relabeled /usr/sbin/fsck.exfat from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0
Relabeled /usr/sbin/groupadd from system_u:object_r:bin_t:s0 to system_u:object_r:groupadd_exec_t:s0
Relabeled /usr/sbin/groupdel from system_u:object_r:bin_t:s0 to system_u:object_r:groupadd_exec_t:s0
Relabeled /usr/sbin/groupmod from system_u:object_r:bin_t:s0 to system_u:object_r:groupadd_exec_t:s0
Relabeled /usr/sbin/grpconv from system_u:object_r:bin_t:s0 to system_u:object_r:admin_passwd_exec_t:s0
Relabeled /usr/sbin/grpunconv from system_u:object_r:bin_t:s0 to system_u:object_r:admin_passwd_exec_t:s0
Relabeled /usr/sbin/keepalived from unconfined_u:object_r:bin_t:s0 to unconfined_u:object_r:keepalived_exec_t:s0
Relabeled /usr/sbin/lpadmin from system_u:object_r:bin_t:s0 to system_u:object_r:lpr_exec_t:s0
Relabeled /usr/sbin/lpc.cups from system_u:object_r:bin_t:s0 to system_u:object_r:lpr_exec_t:s0
Relabeled /usr/sbin/lpinfo from system_u:object_r:bin_t:s0 to system_u:object_r:lpr_exec_t:s0
Relabeled /usr/sbin/lpmove from system_u:object_r:bin_t:s0 to system_u:object_r:lpr_exec_t:s0
Relabeled /usr/sbin/mkfs.btrfs from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0
Relabeled /usr/sbin/mkfs.exfat from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0
Relabeled /usr/sbin/newusers from system_u:object_r:bin_t:s0 to system_u:object_r:useradd_exec_t:s0
Relabeled /usr/sbin/nmbd from system_u:object_r:bin_t:s0 to system_u:object_r:nmbd_exec_t:s0
Relabeled /usr/sbin/php-fpm from system_u:object_r:bin_t:s0 to system_u:object_r:httpd_exec_t:s0
Relabeled /usr/sbin/pwconv from system_u:object_r:bin_t:s0 to system_u:object_r:admin_passwd_exec_t:s0
Relabeled /usr/sbin/pwunconv from system_u:object_r:bin_t:s0 to system_u:object_r:admin_passwd_exec_t:s0
Relabeled /usr/sbin/rngd from system_u:object_r:bin_t:s0 to system_u:object_r:rngd_exec_t:s0
Relabeled /usr/sbin/smbd from system_u:object_r:bin_t:s0 to system_u:object_r:smbd_exec_t:s0
Relabeled /usr/sbin/sshd from system_u:object_r:bin_t:s0 to system_u:object_r:sshd_exec_t:s0
Relabeled /usr/sbin/strongswan from system_u:object_r:bin_t:s0 to system_u:object_r:ipsec_mgmt_exec_t:s0
Relabeled /usr/sbin/swanctl from system_u:object_r:bin_t:s0 to system_u:object_r:ipsec_mgmt_exec_t:s0
Relabeled /usr/sbin/useradd from system_u:object_r:bin_t:s0 to system_u:object_r:useradd_exec_t:s0
Relabeled /usr/sbin/userdel from system_u:object_r:bin_t:s0 to system_u:object_r:useradd_exec_t:s0
Relabeled /usr/sbin/usermod from system_u:object_r:bin_t:s0 to system_u:object_r:useradd_exec_t:s0
Relabeled /usr/sbin/vipw from system_u:object_r:bin_t:s0 to system_u:object_r:admin_passwd_exec_t:s0
Relabeled /usr/sbin/winbindd from system_u:object_r:bin_t:s0 to system_u:object_r:winbind_exec_t:s0

There are many other examples in /bin, /var/lib, /usr/lib.

--
Nick Urbanik             http://nicku.org           nicku@xxxxxxxxx
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux