On 08/04/2015 11:54 PM, Jason Zaman wrote: > On Tue, Aug 04, 2015 at 03:33:05PM -0700, Bond Masuda wrote: >> Hello, >> >> Normally, if I need to ensure that all the SELinux file contexts are >> correct, I run: >> >> restorecon -R -v / >> >> However, in the current situation, I need to do that on a system that is >> offline, where I have it's root and entire file system mounted under >> /mnt. I tried: >> >> chroot /mnt /usr/sbin/restorecon -R -v /mnt >> >> hoping it would have the same effect, but it does not appear to. When I >> boot the offline system, it shows a lot of SELinux mislabelings. >> >> Is there a way to fix SELinux file contexts of another system while it >> is offline? >> >> Thanks for any help... >> -Bond > Look at setfiles, you want something like this: > > setfiles -vr /mnt/ /etc/selinux/strict/contexts/files/file_contexts /mnt/ > > from setfiles(8): > -r rootpath > use an alternate root path. > > -- Jason Thanks to your hint and the other replies, I was able to use setfiles to solve most of the labeling issues. However, there are a few remaining problems. I also learned that setfiles doesn't seem to traverse distinct filesystems, so I had to iterate through the list of filesystems mounted under /mnt and iterate through each fcontext file. What remains after all this are the following that remain mislabeled: [root@localhost /]# restorecon -v -n -r / restorecon reset / context system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0 restorecon reset /usr/sbin/tzdata-update context system_u:object_r:bin_t:s0->system_u:object_r:tzdata_exec_t:s0 restorecon reset /sbin/shutdown context system_u:object_r:bin_t:s0->system_u:object_r:shutdown_exec_t:s0 restorecon reset /sbin/consoletype context system_u:object_r:bin_t:s0->system_u:object_r:consoletype_exec_t:s0 restorecon reset /.autofsck context system_u:object_r:mnt_t:s0->system_u:object_r:etc_runtime_t:s0 I looked through the fcontexts files, and sure enough, they are mislabeled: [root@localhost files]# pwd /etc/selinux/targeted/contexts/files [root@localhost files]# grep -E "tzdata-update|/sbin/shutdown|/sbin/consoletype" * file_contexts:/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 file_contexts:/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0 file_contexts:/usr/sbin/shutdown -- system_u:object_r:shutdown_exec_t:s0 file_contexts:/usr/sbin/tzdata-update -- system_u:object_r:tzdata_exec_t:s0 The way I'm running setfiles is basically like this: chroot /mnt/test /sbin/setfiles -v -F -e /proc -e /sys -e /dev -e /selinux /etc/selinux/targeted/contexts/files/file_contexts / But iterating through each filesystem under "/" (in the chroot /mnt/test). Can anyone help me explain why the 5 file paths above remain mislabeled after running setfiles? Thanks, -Bond _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
