On 08/31/2016 09:53 AM, Paul Bolton wrote:
>
>
> On 31/08/16 07:37, ileyd wrote:
>>
>> Have you managed to correct the incorrect labelling of /etc? When I've tried to use the MLS policy on RHEL/CentOS 7-7.2, that has stopped logins from working when running in enforcing mode.
>>
>
> So if I turn off the dontaudit rules that issue shows up with
> unix_chkpwd and mls_constrain AVCs. Admittedly I did notice it was at
> s15 but thought that was intentional. Though, as most of the files in
> /etc are at s0 that doesn't sound right.
>
> Anyway, changing /etc to s0 allows logins to work; and looks more like
> what I would expect an out-of-the-box MLS system to look like.
>
> Thanks for the advice.
>
>
This is a bug in initscripts.
/usr/lib/systemd/rhel-import-state copies files from initrd to a
filesystem during boot but doesn't reset level on the copied files.
Since dracut is running as ks15, copied files inherits s15 level. The
fix is quite easy:
--- /usr/lib/systemd/rhel-import-state.bug 2016-09-07
04:44:45.413231227 -0400
+++ /usr/lib/systemd/rhel-import-state 2016-09-07 04:44:51.645274588 -0400
@@ -7,5 +7,5 @@
# run restorecon on the copied files
if [ -e /sys/fs/selinux/enforce -a -x /usr/sbin/restorecon ]; then
- find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i; }
+ find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i -F; }
fi
Petr
--
Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
