I migrated my server to the merged-usr layout: https://www.gentoo.org/support/news-items/2022-12-01-systemd-usrmerge.html After "emerge -e world" the system was broken. Found out some files in /usr/bin folder did lost the labels, because the selinux rules still refer to /sbin or /usr/sbin. The "/sbin" and "/usr/sbin" are symlinks now, so no context rules are applied. I did the correction using local module, by generating the fc file using this script: ------------------------- #!/bin/sh semanage fcontext -l | grep '/bin/' > /tmp/bin-list semanage fcontext -l | grep '/sbin/' | while read binary _ _ context; do BIN="$(echo "$binary" | sed 's:/sbin/:/bin/:g')" if [ -n "$(fgrep "$BIN " /tmp/bin-list)" ]; then echo "$BIN" already registered else echo register "$BIN" echo "$BIN -- gen_context($context,s0)" >> /root/.selocal/myx_system.fc fi done rm /tmp/bin-list ------------------------- Basically the script search for loaded "*/sbin/*" fcontexts, check, if the same "*/bin/*" context already exists, and if not, apply new "*/bin/*". My myx_system.fc is now ------------------------- /bin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) /bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/kerberos/bin/kadmin.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/kerberos/bin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) /usr/kerberos/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) /usr/kerberos/bin/login.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) /usr/local/kerberos/bin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) /usr/local/kerberos/bin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) /usr/bin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/dmsetup.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/generate-modprobe.conf -- gen_context(system_u:object_r:kmod_exec_t,s0) /usr/bin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/bin/httpd(.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/bin/httpd.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/bin/iftop -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lvm.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/mkfs.cramfs -- gen_context(system_u:object_r:bin_t,s0) /usr/bin/mkfs.f2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/mount(.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/multipath -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/multipath.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/ntpctl -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/bin/openrc -- gen_context(system_u:object_r:rc_exec_t,s0) /usr/bin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0) /usr/bin/openrc-shutdown -- gen_context(system_u:object_r:init_exec_t,s0) /usr/bin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/bin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/bin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) /usr/bin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) /usr/bin/semanage-python.* -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/bin/sendmail(.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/sendmail.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/bin/ss -- gen_context(system_u:object_r:ss_exec_t,s0) /usr/bin/umount(.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/update-smart-drivedb -- gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0) /usr/bin/vgchange.static -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/vgscan.static -- gen_context(system_u:object_r:lvm_exec_t,s0) ------------------------- Unsure if all of them are really required. Maybe it is possible to apply similar logic into selinux-policy-2.eclass, to add missed "/usr/bin/" rules.