Re: abnormal SELinux context labels

[Bond Masuda <bond.masuda@xxxxxxxxxx>]

On 06/22/2016 11:30 AM, Simon Sekidde wrote:
> ----- Original Message -----
> > From: "Simon Sekidde" <ssekidde@xxxxxxxxxx>
> > To: "Bond Masuda" <bond.masuda@xxxxxxxxxx>
> > Cc: selinux@xxxxxxxxxxxxx
> > Sent: Wednesday, June 22, 2016 2:22:18 PM
> > Subject: Re: abnormal SELinux context labels
> >
> >
> >
> > ----- Original Message -----
> > > From: "Bond Masuda" <bond.masuda@xxxxxxxxxx>
> > > To: selinux@xxxxxxxxxxxxx
> > > Sent: Wednesday, June 22, 2016 2:05:17 PM
> > > Subject: abnormal SELinux context labels
> > >
> > > I'm installing CentOS 7 in a chroot'd environment to build new images of
> > > CentOS 7 for a private cloud environment. I've done this successfully
> > > before
> > > with CentOS 6 (with help from this list) and we have an automated process
> > > of
> > > doing that now. I'm now porting our process to do similarly for CentOS 7.
> > > However, after our process is complete, certain directories/symlinks have
> > > abnormal SELinux contexts assigned to them. This causes the system to fail
> > > to boot since we have SELinux enforcing by default and one of the
> > > problematic symlinks is /lib64.
> > >
> > > Here is what we see in the CentOS 7 build tree root directory, right after
> > > a
> > > fresh install of CentOS 7 from the full updates repo:
> > >
> > > # ls -alZ /
> > > dr-xr-xr-x. root root system_u:object_r:root_t:s0 .
> > > dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> > > drwxr-xr-x. root root system_u:object_r:auditd_log_t:s0 audit
> > > lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin
> > > dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot
> > > drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 dev
> > > drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc
> > > drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
> > > lrwxrwxrwx. root root /usr/lib lib -> usr/lib
> > > lrwxrwxrwx. root root /usr/lib lib64 -> usr/lib64
> > > drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media
> > > drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt
> > > drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt
> > > drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 proc
> > > dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root
> > > drwxr-xr-x. root root /var/run run
> > > lrwxrwxrwx. root root system_u:object_r:bin_t:s0 sbin -> usr/sbin
> > > drwxr-xr-x. root root system_u:object_r:var_t:s0 srv
> > > drwxr-xr-x. root root unconfined_u:object_r:unlabeled_t:s0 sys
> > > drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp
> > > drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr
> > > drwxr-xr-x. root root system_u:object_r:var_t:s0 var
> > >
> > > As you can see, the SELinux context for "lib", is "/usr/lib"!!! and
> > > similarly, for "lib64", it is "/usr/lib" ... those are not even valid
> > > context labels!
> Taking a closer look, is Is /usr on a separate partition?
No, /usr is not on separate partition. Here's the partition scheme:

/dev/mapper/vg_system-lv_root -> /
/dev/mapper/loop0p1 -> /boot
/dev/mapper/vg_system-lv_audit -> /audit
/dev/mapper/vg_system-lv_home -> /home
/dev/mapper/vg_system-lv_tmp -> /tmp
/dev/mapper/vg_system-lv_var -> /var
/dev/mapper/vg_system-lv_var_log -> /var/log

This is a disk image mounted via loopback, and we use LVM2. Thanks for 
looking at it again...

> > > How can an invalid string like "/usr/lib" even be assigned as a SELinux
> > > label
> > > in the first place?
> > Its not the SELinux label but a symbolic link
> >
> > /lib is a symbolic link to /usr/lib
> > /lib64 is a symbolic link to /usr/lib64
> >
> > And both of which have the same type 'lib_t'
> >
> > $ matchpathcon /lib /lib64
> >
> > > I can workaround this with a manual fix using 'chcon
> > > system_u:object_r:type_label:s0 path', but I'm just wondering how this can
> > > happen in the first place? When I try to manually reproduce the invalid
> > > label, I get this:
> > >
> > > # chcon /usr/lib lib
> > > chcon: invalid context: /usr/lib
> > >
> > > Any insights would be appreciated...
> > > Bond
> > >
> > >
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@xxxxxxxxxxxxx
> > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > > To get help, send an email containing "help" to
> > > Selinux-request@xxxxxxxxxxxxx.
> > --
> > Simon Sekidde * Red Hat, Inc. * Westford, MA
> > gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@xxxxxxxxxxxxx
> > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > To get help, send an email containing "help" to
> > Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.