"/root" folder and content have wrong fcontext with "unconfined" useflag and SELINUXTYPE=mcs being used. Reproducible: Always Steps to Reproduce: My installation steps, but don't set "-unconfined" as shown in the 2nd codeblog: https://github.com/duxsco/gentoo-installation/blob/69f457dd1309bf70f08f8afb139821902ff0243f/docs/selinux.md Actual Results: ❯ ls -ldZ /root drwx------. 1 root root system_u:object_r:default_t:s0 350 30. Apr 09:28 /root/ Expected Results: ❯ ls -ldZ /root drwx------. 1 root root root:object_r:user_home_dir_t:s0 304 30. Apr 09:34 /root/ With "unconfined" useflag and SELINUXTYPE=mcs, you get the following fcontext: ❯ ls -ldZ /root drwx------. 1 root root system_u:object_r:default_t:s0 350 30. Apr 09:28 /root/ This leads to following SELinux denials: ---- [ 42.593374] audit: type=1400 audit(1682803607.506:3): avc: denied { getattr } for pid=4582 comm="loadkeys" path="/root" dev="dm-5" ino=76274 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 [ 42.621347] audit: type=1400 audit(1682803607.506:4): avc: denied { getattr } for pid=4583 comm="loadkeys" path="/root" dev="dm-5" ino=76274 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 Object(s) mentioned in SELinux denials with inode number(s): ❯ find / -inum "76274" -context "system_u:object_r:default_t:s0" /root Without "unconfined" useflag, you don't get a denial: ❯ ls -ldZ /root drwx------. 1 root root root:object_r:user_home_dir_t:s0 304 30. Apr 09:34 /root/ ❯ sesearch --allow --source udev_t --target user_home_dir_t --class dir --perms getattr allow nsswitch_domain user_home_dir_t:dir { getattr open search }; Removing these lines solved the denial: https://github.com/gentoo-mirror/gentoo/blob/stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild#L102-L106
Unless I'm missing something, I'm not able to reproduce this. --- # grep SELINUXTYPE= /etc/selinux/config SELINUXTYPE=mcs # emerge --info selinux-base [...] sec-policy/selinux-base-2.20221101-r4::gentoo was built with the following: USE="systemd ubac unconfined unknown-perms userland_GNU -doc" # matchpathcon /root /root root:object_r:user_home_dir_t:s0 # matchpathcon /home/concord /home/concord unconfined_u:object_r:user_home_dir_t:s0 # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0 * concord unconfined_u s0-s0 * root root s0-s0 * ---
I don't know what I do differently. In another test installation, I face the same problem. Removing "-e '/root/d' -e " fixes the issue: https://github.com/gentoo-mirror/gentoo/blob/009c813d340e60a982d7cb0dd286c51b67756a01/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild#L103 Then, the "seusers" files have the following content where the linux starting with "root" isn't missing: ❯ find / -xdev -name seusers | xargs head -n 99 ==> /etc/selinux/mcs/seusers <== root:root:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0 ==> /var/lib/selinux/mcs/active/seusers <== root:root:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0
I meant "... where the lines* starting...".
@concord Apparently, the "sed" line doesn't get applied in your case. I have: ❯ semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0 * david staff_u s0-s0:c0.c1023 * root root s0-s0:c0.c1023 *
.... using the fix by removing "-e '/root/d' -e ".
Hi, I have the same issue following the selinux install page using a hardened systemd stage3. The one thing where I may have deviated was to use POLICY_TYPES="mcs strict targeted" in /etc/portage/make.conf and not just "mcs" for instance. I think that the patch of David fixes it (eg. id -Z shows unconfined for root and matchpathcon shows the right context for /root) however relabeling got my system unbootable
Created attachment 901183 [details, diff] sec-policy/selinux-base patch I attach my patch for completeness sake.
