Project

General

Profile

Actions

Bug #37472

open

restorecon would relabel a lot of files

Added by Richard Stempfl 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Ticket for https://community.theforeman.org/t/restorecon-would-relabel-a-lot-of-files/37983
Problem:
restorecon would relabel a lot of fieles
Expected outcome:
No relabeling needed
Foreman and Proxy versions:
Last > 5 versions

Other relevant data:
selinux is always enabled and when I run restorecon -Rnv / after the installation, I see some files that should have a different label, is the labeling done too early? e.g. /var/lib/foreman ( if i execute foreman-selinux-relabel some files are labeled correct e.g /var/lib/foreman but not all)

On my productive foreman which I update often other files appear which should have a different label.

e.g
/var/lib/pulp/media/artifact/
/var/lib/foreman-proxy/ssh/config

The complete list is attached below.

New system:

restorecon -Rnv /
Would relabel /run/vmware from system_u:object_r:var_run_t:s0 to system_u:object_r:vmware_host_pid_t:s0
Would relabel /run/vmware/guestServicePipe from system_u:object_r:var_run_t:s0 to system_u:object_r:vmware_host_pid_t:s0
Would relabel /var/log/.vmware-deploy.Done from system_u:object_r:vmware_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/vmware-network.3.log from system_u:object_r:var_log_t:s0 to system_u:object_r:vmware_log_t:s0
Would relabel /var/log/vmware-network.2.log from system_u:object_r:var_log_t:s0 to system_u:object_r:vmware_log_t:s0
Would relabel /var/log/vmware-network.1.log from system_u:object_r:var_log_t:s0 to system_u:object_r:vmware_log_t:s0
Would relabel /var/log/vmware-network.log from system_u:object_r:var_log_t:s0 to system_u:object_r:vmware_log_t:s0
Would relabel /var/log/foreman-proxy/cron.log from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/foreman-proxy/openscap-send.log from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/lib/selinux/mls/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/mls/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/selinux/minimum/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/minimum/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/selinux/strict/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/strict/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_virt_who_configure from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_snapshot_management from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_acd from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_ansible from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_azure_rm from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_openscap from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_puppet from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_salt from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_webhooks from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_scc_manager from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_fog_proxmox from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_bootdisk from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_discovery from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_google from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_ansible from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_google from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_puppet from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_webhooks from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_snapshot_management from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_scc_manager from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_acd from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_bootdisk from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_discovery from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_openscap from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/pgsql/data/log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Wed.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/foreman-proxy/ssh/config from system_u:object_r:usr_t:s0 to system_u:object_r:var_lib_t:s0
Would relabel /etc/tomcat/conf.d/jaas.conf from system_u:object_r:usr_t:s0 to system_u:object_r:etc_t:s0
Would relabel /etc/tomcat/login.config from system_u:object_r:usr_t:s0 to system_u:object_r:etc_t:s0
Would relabel /etc/tomcat/cert-users.properties from system_u:object_r:usr_t:s0 to system_u:object_r:etc_t:s0
Would relabel /etc/tomcat/cert-roles.properties from system_u:object_r:usr_t:s0 to system_u:object_r:etc_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-apache-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-apache-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-proxy-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-proxy-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-client-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-client-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-proxy-client-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-foreman-proxy-client-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-puppet-client-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/k.i.t.t/k.i.t.t-puppet-client-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/katello-default-ca-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/katello-default-ca-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/katello-server-ca-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/katello-server-ca-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/localhost/localhost-tomcat-1.0-1.noarch.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /root/ssl-build/localhost/localhost-tomcat-1.0-1.src.rpm from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:admin_home_t:s0
Would relabel /opt/puppetlabs/server/data/puppetserver/lib from system_u:object_r:usr_t:s0 to system_u:object_r:lib_t:s0

Updated system:

 restorecon -Rnv /
Would relabel /boot/loader/entries/1b52eb80c3fe4d51aafa5e2a23f7bae3-4.18.0-513.18.1.el8_9.x86_64.conf from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /run/vmware from system_u:object_r:var_run_t:s0 to system_u:object_r:vmware_host_pid_t:s0
Would relabel /run/vmware/guestServicePipe from system_u:object_r:var_run_t:s0 to system_u:object_r:vmware_host_pid_t:s0
Would relabel /var/log/dnf.log.1 from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/foreman-proxy/cron.log from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/foreman-proxy/openscap-send.log from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/dnf.log from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/dnf.librepo.log from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/log/dnf.log.2 from system_u:object_r:rpm_log_t:s0 to system_u:object_r:var_log_t:s0
Would relabel /var/lib/selinux/mls/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/mls/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/selinux/minimum/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/minimum/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/selinux/strict/semanage.read.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_read_lock_t:s0
Would relabel /var/lib/selinux/strict/semanage.trans.LOCK from unconfined_u:object_r:semanage_store_t:s0 to unconfined_u:object_r:semanage_trans_lock_t:s0
Would relabel /var/lib/foreman/public/assets/bastion from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/bastion_katello from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_acd from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_puppet from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/katello from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_fog_proxmox from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/assets/foreman_rh_cloud from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_puppet from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_rh_cloud from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/katello from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/foreman/public/webpack/foreman_acd from system_u:object_r:usr_t:s0 to system_u:object_r:foreman_lib_t:s0
Would relabel /var/lib/pgsql/data/log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Fri.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Sat.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Sun.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Mon.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Tue.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Wed.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/pgsql/data/log/postgresql-Thu.log from system_u:object_r:postgresql_db_t:s0 to system_u:object_r:postgresql_log_t:s0
Would relabel /var/lib/foreman-proxy/ssh/config from system_u:object_r:usr_t:s0 to system_u:object_r:var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/95/8eba381c20e4999f45ded67eb6d80f5a264fbd271a9a88c14af2db42fcb548 from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/95/a586f803b749f4f9ff97ef9353852b5b089d849772d02892c4ee24360c461c from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
...
cut ( a lot of artifact files)
...
Would relabel /opt/puppetlabs/server/data/puppetserver/lib from system_u:object_r:usr_t:s0 to system_u:object_r:lib_t:s0

Actions #1

Updated by Richard Stempfl 6 months ago

  • Description updated (diff)
Actions

Also available in: Atom PDF