Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930127 - selinux compatibility for merged-usr layout
Summary: selinux compatibility for merged-usr layout
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-17 06:20 UTC by Alexander Weber
Modified: 2024-04-17 06:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Weber 2024-04-17 06:20:34 UTC 
I migrated my server to the merged-usr layout: 
https://www.gentoo.org/support/news-items/2022-12-01-systemd-usrmerge.html

After "emerge -e world" the system was broken.

Found out some files in /usr/bin folder did lost the labels, because the selinux rules still refer to /sbin or /usr/sbin.
The "/sbin" and "/usr/sbin" are symlinks now, so no context rules are applied.


I did the correction using local module, by generating the fc file using this script: 
-------------------------
#!/bin/sh

semanage fcontext -l | grep '/bin/' > /tmp/bin-list
semanage fcontext -l | grep '/sbin/' | while read binary _ _ context; do
   BIN="$(echo "$binary" | sed 's:/sbin/:/bin/:g')"
   if [ -n "$(fgrep "$BIN " /tmp/bin-list)" ]; then
	echo "$BIN" already registered
   else
	echo register "$BIN"
        echo "$BIN       --      gen_context($context,s0)" >> /root/.selocal/myx_system.fc
   fi
done

rm /tmp/bin-list
-------------------------

Basically the script search  for loaded "*/sbin/*" fcontexts, check, if the same "*/bin/*" context already exists, and if not, apply new "*/bin/*".

My myx_system.fc is now 

-------------------------
/bin/halt       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
/bin/shutdown       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/kerberos/bin/kadmin.local       --      gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/bin/kadmind       --      gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/kerberos/bin/kpropd       --      gen_context(system_u:object_r:kpropd_exec_t,s0)
/usr/kerberos/bin/krb5kdc       --      gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/kerberos/bin/login.krb5       --      gen_context(system_u:object_r:login_exec_t,s0)
/usr/local/kerberos/bin/kadmind       --      gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/local/kerberos/bin/krb5kdc       --      gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/bin/dmeventd       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/dmsetup.static       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/generate-modprobe.conf       --      gen_context(system_u:object_r:kmod_exec_t,s0)
/usr/bin/halt       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/bin/httpd(.worker)?       --      gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/httpd.event       --      gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/iftop       --      gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lvm.static       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/mkfs.cramfs       --      gen_context(system_u:object_r:bin_t,s0)
/usr/bin/mkfs.f2fs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/mount(.[^/]+)?       --      gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/multipath       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/multipath.static       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/ntpctl       --      gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/bin/openrc       --      gen_context(system_u:object_r:rc_exec_t,s0)
/usr/bin/openrc-init       --      gen_context(system_u:object_r:init_exec_t,s0)
/usr/bin/openrc-shutdown       --      gen_context(system_u:object_r:init_exec_t,s0)
/usr/bin/php-fpm[^/]+       --      gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/php.*-fpm       --      gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/bin/pwhistory_helper       --      gen_context(system_u:object_r:updpwd_exec_t,s0)
/usr/bin/rc       --      gen_context(system_u:object_r:rc_exec_t,s0)
/usr/bin/semanage-python.*       --      gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/bin/sendmail(.sendmail)?       --      gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/sendmail.postfix       --      gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/shutdown       --      gen_context(system_u:object_r:shutdown_exec_t,s0)
/usr/bin/ss       --      gen_context(system_u:object_r:ss_exec_t,s0)
/usr/bin/umount(.[^/]+)?       --      gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/update-smart-drivedb       --      gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0)
/usr/bin/vgchange.static       --      gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/vgscan.static       --      gen_context(system_u:object_r:lvm_exec_t,s0)

-------------------------
Unsure if all of them are really required. 

Maybe it is possible to apply similar logic into selinux-policy-2.eclass, to add missed "/usr/bin/" rules.