#650 Issue closed: SELinux: missing /.autorelabel in RHEL 7.1¶
Labels: bug, fixed / solved / done
v1p3r0u5 opened issue at 2015-09-10 13:40:¶
Information:¶
Rear-Version: 1.17.2
OS: RHEL 7.1 latest
SELinux: targeted/enforcing
Backup-System: TSM
Problem:¶
Login after restore is not possible. Error: /bin/bash => Permission
denied.
It seems, that no /.autorelabel will be created after restore-process.
If I afterwards create the file by myself (rd.break), everything is
working fine. Same problem exists also when I use
BCKUP_SELINUX_DISABLE=0 in site.conf.
Output of sealert:¶
# sealert -a /var/log/audit/audit.log
Additional Information:
Source Context system_u:system_r:kernel_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0
Target Objects Unknown [ process ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host <Unknown>
Source RPM Packages openssh-server-6.6.1p1-12.el7_1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xyz.ch
Platform Linux xyz.ch
3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22
12:06:11 EDT 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-09-10 10:48:18 CEST
Last Seen 2015-09-10 10:48:18 CEST
Local ID 2c253544-4278-4cb6-b222-5d10b61d155d
Raw Audit Messages
type=AVC msg=audit(1441874898.668:134): avc: denied { dyntransition } for pid=1963 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1441874898.668:134): arch=x86_64 syscall=write success=no exit=EACCES a0=6 a1=7f8b22a956e0 a2=2a a3=666e6f636e753a72 items=0 ppid=1775 pid=1963 auid=7536 uid=7536 gid=100 euid=7536 suid=7536 fsuid=7536 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:kernel_t:s0 key=(null)
Hash: sshd,kernel_t,unconfined_t,process,dyntransition
Custom site.conf:¶
# cat /etc/rear/site.conf
OUTPUT=ISO
BACKUP=TSM
GRUB_RESCUE=n
KERNEL_CMDLINE="net.ifnames=0 biosdevname=0"
TMPDIR="/var/tmp/"
export TMPDIR
TSM_RESULT_FILE_PATH=/var/tmp/rear/output
Logfiles¶
No Results when I'm greping for selinux
# grep -i selinux /root/rear-2015-09-10T08:47:06+0000.log
---
# grep -i selinux /var/log/rear/rear-xyz.log
2015-09-10 11:03:50 Adding required /lib64/libselinux.so.1 to LIBS
Workaround:¶
- Edit Kernel Params while booting (add rd.break)
- Remount: /sysroot => # mount -o remount,rw /sysroot
- Chroot to /sysroot => # chroot /sysroot
- Add selinux-file => # touch /.autorelabel
- Restart Server
Thanks for having a look at it 👍
Ralf
bhaubeck commented at 2015-09-10 15:19:¶
hey ralf,
nice to read you here.
maybe you hit the same issue as me some days ago?
see the mail below (or search for the thread "not booting further than initrd after successful restore")
solution:
it was just /run missing.
ben
-------- Forwarded Message --------
Return-Path: bhaubeck@gmail.com
Received: from [172.29.2.245](p5B30D216.dip0.t-ipconnect.de.
[91.48.210.22]) by smtp.gmail.com with ESMTPSA id
c7sm82977wjb.19.2015.08.12.14.09.16 for
rear-users@lists.relax-and-recover.org (version=TLSv1.2
cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Aug 2015
14:09:17 -0700 (PDT)
Subject: Re: [rear-users] not booting further than initrd after
successful restore
To: rear-users@lists.relax-and-recover.org
References: 55CB2B54.6060908@gmail.com 55CB4290.2080200@gmail.com
4f99d0dcf9ae0a82904aaa87a626e8f8@it3.be 55CB46A7.40902@gmail.com
From: Benjamin Haubeck bhaubeck@gmail.com
Openpgp: id=E7E3A909494F7E28FADFC4400B162E663DF07A8A
Message-ID: 55CBB5F2.1070403@gmail.com
Date: Wed, 12 Aug 2015 23:09:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: 55CB46A7.40902@gmail.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
thx for your support.
i solved it now and it has nothing to do with relax and recover:
/run was missing in the backup and was causing this strange effects.
for some reason i still do not know, the TSM backup seems to exclude
not /run/* but /run at all...
and for some reason the rescue boot of the RHEL - CD is fixing a
missing /run silently, the installed version does not.
thx for your fast reactions and sorry for this kind of "false alarm".
kind regards,
ben
On 10.09.2015 15:40, Ralf Germann wrote:
Information:Rear-Version: 1.17.2
OS: RHEL 7.1 latest
SELinux: targeted/enforcing
Backup-System: TSMProblem:Login after restore is not possible. Error: /bin/bash => Permission denied.
It seems, that no /.autorelabel will be created after restore-process. If I afterwards create the file by myself (rd.break), everything is working fine. Same problem exists also when I use BCKUP_SELINUX_DISABLE=0 in site.conf.Output of sealert:|# sealert -a /var/log/audit/audit.log Additional Information: Source Context system_u:system_r:kernel_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects Unknown [ process ] Source sshd Source Path /usr/sbin/sshd Port
Host Source RPM Packages openssh-server-6.6.1p1-12.el7_1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7_1.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name xyz.ch Platform Linux xyz.ch 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-10 10:48:18 CEST Last Seen 2015-09-10 10:48:18 CEST Local ID 2c253544-4278-4cb6-b222-5d10b61d155d Raw Audit Messages type=AVC msg=audit(1441874898.668:134): avc: denied { dyntransition } for pid=1963 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1441874898.668:134): arch=x86_64
syscall=write success=no exit=EACCES a0=6 a1=7f8b22a956e0 a2=2a a3=666e6f636e753a72 items=0 ppid=1775 pid=1963 auid=7536 uid=7536 gid=100 euid=7536 suid=7536 fsuid=7536 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:kernel_t:s0 key=(null) Hash: sshd,kernel_t,unconfined_t,process,dyntransition |Custom site.conf:|# cat /etc/rear/site.conf OUTPUT=ISO BACKUP=TSM GRUB_RESCUE=n KERNEL_CMDLINE="net.ifnames=0 biosdevname=0" TMPDIR="/var/tmp/" export TMPDIR TSM_RESULT_FILE_PATH=/var/tmp/rear/output |
LogfilesNo Results when I'm greping for selinux
|# grep -i selinux /root/rear-2015-09-10T08:47:06+0000.log --- # grep -i selinux /var/log/rear/rear-xyz.log 2015-09-10 11:03:50 Adding required /lib64/libselinux.so.1 to LIBS |
Workaround:
- Edit Kernel Params while booting (add rd.break)
- Remount: /sysroot => # mount -o remount,rw /sysroot
- Chroot to /sysroot => # chroot /sysroot
- Add selinux-file => # touch /.autorelabel
- Restart Server
Thanks for having a look at it 👍
Ralf
—
Reply to this email directly or view it on GitHub https://github.com/rear/rear/issues/650.
Benjamin Haubeck
Key-Fingerprint: E7E3 A909 494F 7E28 FADF C440 0B16 2E66 3DF0 7A8A
v1p3r0u5 commented at 2015-09-10 18:22:¶
Hi Ben,
thx for your answer. Unfortunately this is not the solution. The issue with /run was solved with version 1.17.2. The boot process does complete, but login is not possible unless you relabel the whole system with help of /.autorelabel. Of course only when selinux is enforcing. ;-)
Cheers, Ralf
gdha commented at 2015-09-11 15:26:¶
@rg-fine It could be that with the BACKUP=TSM that there is no script
present that forces a SELinux relabel after the restore. Well, most
likely as you reported the issue, and when I check with
grep -r autorelabel /usr/share/rear I cannot find a method which
foresees this for TSM (or any other external backup program with
exceptions of RSYNC, RBME and DUPLICITY).
What you could do to test it out (a more generic fix) is the following:
mv /usr/share/rear/restore/DUPLICITY/default/50_selinux_autorelabel.sh /usr/share/rear/restore/default/
This way it will always being executed with any backup method. Please return feedback ;-)
v1p3r0u5 commented at 2015-09-15 07:22:¶
@gdha Thank you very much for the answer. I could test your recommendation. For me it worked like a charm to move the autorelabel script :-)
[Export of Github issue for rear/rear.]