> On 7 Sep 2016, at 7:03 PM, Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
>> On 08/31/2016 09:53 AM, Paul Bolton wrote:
>>
>>
>>> On 31/08/16 07:37, ileyd wrote:
>>>
>>> Have you managed to correct the incorrect labelling of /etc? When I've tried to use the MLS policy on RHEL/CentOS 7-7.2, that has stopped logins from working when running in enforcing mode.
>>
>> So if I turn off the dontaudit rules that issue shows up with
>> unix_chkpwd and mls_constrain AVCs. Admittedly I did notice it was at
>> s15 but thought that was intentional. Though, as most of the files in
>> /etc are at s0 that doesn't sound right.
>>
>> Anyway, changing /etc to s0 allows logins to work; and looks more like
>> what I would expect an out-of-the-box MLS system to look like.
>>
>> Thanks for the advice.
>
> This is a bug in initscripts.
>
> /usr/lib/systemd/rhel-import-state copies files from initrd to a
> filesystem during boot but doesn't reset level on the copied files.
> Since dracut is running as ks15, copied files inherits s15 level. The
> fix is quite easy:
>
> --- /usr/lib/systemd/rhel-import-state.bug 2016-09-07
> 04:44:45.413231227 -0400
> +++ /usr/lib/systemd/rhel-import-state 2016-09-07 04:44:51.645274588 -0400
> @@ -7,5 +7,5 @@
>
> # run restorecon on the copied files
> if [ -e /sys/fs/selinux/enforce -a -x /usr/sbin/restorecon ]; then
> - find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i; }
> + find . -mindepth 1 -print0 | { cd / && xargs --null restorecon -i -F; }
> fi
>
>
> Petr
> --
> Petr Lautrbach
>
>
Thanks for sharing that!
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
