#650 Issue closed: SELinux: missing /.autorelabel in RHEL 7.1

Labels: bug, fixed / solved / done

v1p3r0u5 opened issue at 2015-09-10 13:40:

Information:

Rear-Version: 1.17.2
OS: RHEL 7.1 latest
SELinux: targeted/enforcing
Backup-System: TSM

Problem:

Login after restore is not possible. Error: /bin/bash => Permission denied.
It seems, that no /.autorelabel will be created after restore-process. If I afterwards create the file by myself (rd.break), everything is working fine. Same problem exists also when I use BCKUP_SELINUX_DISABLE=0 in site.conf.

Output of sealert:
# sealert -a /var/log/audit/audit.log
Additional Information:
Source Context                system_u:system_r:kernel_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                Unknown [ process ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           openssh-server-6.6.1p1-12.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xyz.ch
Platform                      Linux xyz.ch
                              3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22
                              12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-10 10:48:18 CEST
Last Seen                     2015-09-10 10:48:18 CEST
Local ID                      2c253544-4278-4cb6-b222-5d10b61d155d

Raw Audit Messages
type=AVC msg=audit(1441874898.668:134): avc:  denied  { dyntransition } for  pid=1963 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process


type=SYSCALL msg=audit(1441874898.668:134): arch=x86_64 syscall=write success=no exit=EACCES a0=6 a1=7f8b22a956e0 a2=2a a3=666e6f636e753a72 items=0 ppid=1775 pid=1963 auid=7536 uid=7536 gid=100 euid=7536 suid=7536 fsuid=7536 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:kernel_t:s0 key=(null)

Hash: sshd,kernel_t,unconfined_t,process,dyntransition
Custom site.conf:
# cat /etc/rear/site.conf 
OUTPUT=ISO
BACKUP=TSM
GRUB_RESCUE=n
KERNEL_CMDLINE="net.ifnames=0 biosdevname=0"
TMPDIR="/var/tmp/"
export TMPDIR
TSM_RESULT_FILE_PATH=/var/tmp/rear/output
Logfiles

No Results when I'm greping for selinux

# grep -i selinux /root/rear-2015-09-10T08:47:06+0000.log

---
# grep -i selinux /var/log/rear/rear-xyz.log
2015-09-10 11:03:50 Adding required /lib64/libselinux.so.1 to LIBS
Workaround:
  • Edit Kernel Params while booting (add rd.break)
  • Remount: /sysroot => # mount -o remount,rw /sysroot
  • Chroot to /sysroot => # chroot /sysroot
  • Add selinux-file => # touch /.autorelabel
  • Restart Server

Thanks for having a look at it 👍

Ralf

bhaubeck commented at 2015-09-10 15:19:

hey ralf,

nice to read you here.

maybe you hit the same issue as me some days ago?

see the mail below (or search for the thread "not booting further than initrd after successful restore")

solution:
it was just /run missing.

ben

-------- Forwarded Message --------
Return-Path: bhaubeck@gmail.com
Received: from [172.29.2.245](p5B30D216.dip0.t-ipconnect.de. [91.48.210.22]) by smtp.gmail.com with ESMTPSA id c7sm82977wjb.19.2015.08.12.14.09.16 for rear-users@lists.relax-and-recover.org (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Aug 2015 14:09:17 -0700 (PDT)
Subject: Re: [rear-users] not booting further than initrd after successful restore
To: rear-users@lists.relax-and-recover.org
References: 55CB2B54.6060908@gmail.com 55CB4290.2080200@gmail.com 4f99d0dcf9ae0a82904aaa87a626e8f8@it3.be 55CB46A7.40902@gmail.com
From: Benjamin Haubeck bhaubeck@gmail.com
Openpgp: id=E7E3A909494F7E28FADFC4400B162E663DF07A8A
Message-ID: 55CBB5F2.1070403@gmail.com
Date: Wed, 12 Aug 2015 23:09:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: 55CB46A7.40902@gmail.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

thx for your support.
i solved it now and it has nothing to do with relax and recover:

/run was missing in the backup and was causing this strange effects.

for some reason i still do not know, the TSM backup seems to exclude
not /run/* but /run at all...
and for some reason the rescue boot of the RHEL - CD is fixing a
missing /run silently, the installed version does not.

thx for your fast reactions and sorry for this kind of "false alarm".

kind regards,

ben

On 10.09.2015 15:40, Ralf Germann wrote:

      Information:

Rear-Version: 1.17.2
OS: RHEL 7.1 latest
SELinux: targeted/enforcing
Backup-System: TSM

      Problem:

Login after restore is not possible. Error: /bin/bash => Permission denied.
It seems, that no /.autorelabel will be created after restore-process. If I afterwards create the file by myself (rd.break), everything is working fine. Same problem exists also when I use BCKUP_SELINUX_DISABLE=0 in site.conf.

      Output of sealert:

|# sealert -a /var/log/audit/audit.log Additional Information: Source Context system_u:system_r:kernel_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects Unknown [ process ] Source sshd Source Path /usr/sbin/sshd Port Host Source RPM Packages openssh-server-6.6.1p1-12.el7_1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7_1.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name xyz.ch Platform Linux xyz.ch 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-10 10:48:18 CEST Last Seen 2015-09-10 10:48:18 CEST Local ID 2c253544-4278-4cb6-b222-5d10b61d155d Raw Audit Messages type=AVC msg=audit(1441874898.668:134): avc: denied { dyntransition } for pid=1963 comm="sshd" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1441874898.668:134): arch=x86_64
syscall=write success=no exit=EACCES a0=6 a1=7f8b22a956e0 a2=2a a3=666e6f636e753a72 items=0 ppid=1775 pid=1963 auid=7536 uid=7536 gid=100 euid=7536 suid=7536 fsuid=7536 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:kernel_t:s0 key=(null) Hash: sshd,kernel_t,unconfined_t,process,dyntransition |

      Custom site.conf:

|# cat /etc/rear/site.conf OUTPUT=ISO BACKUP=TSM GRUB_RESCUE=n KERNEL_CMDLINE="net.ifnames=0 biosdevname=0" TMPDIR="/var/tmp/" export TMPDIR TSM_RESULT_FILE_PATH=/var/tmp/rear/output |

      Logfiles

No Results when I'm greping for selinux

|# grep -i selinux /root/rear-2015-09-10T08:47:06+0000.log --- # grep -i selinux /var/log/rear/rear-xyz.log 2015-09-10 11:03:50 Adding required /lib64/libselinux.so.1 to LIBS |

      Workaround:
  • Edit Kernel Params while booting (add rd.break)
  • Remount: /sysroot => # mount -o remount,rw /sysroot
  • Chroot to /sysroot => # chroot /sysroot
  • Add selinux-file => # touch /.autorelabel
  • Restart Server

Thanks for having a look at it 👍

Ralf


Reply to this email directly or view it on GitHub https://github.com/rear/rear/issues/650.

Benjamin Haubeck
Key-Fingerprint: E7E3 A909 494F 7E28 FADF C440 0B16 2E66 3DF0 7A8A

v1p3r0u5 commented at 2015-09-10 18:22:

Hi Ben,

thx for your answer. Unfortunately this is not the solution. The issue with /run was solved with version 1.17.2. The boot process does complete, but login is not possible unless you relabel the whole system with help of /.autorelabel. Of course only when selinux is enforcing. ;-)

Cheers, Ralf

gdha commented at 2015-09-11 15:26:

@rg-fine It could be that with the BACKUP=TSM that there is no script present that forces a SELinux relabel after the restore. Well, most likely as you reported the issue, and when I check with
grep -r autorelabel /usr/share/rear I cannot find a method which foresees this for TSM (or any other external backup program with exceptions of RSYNC, RBME and DUPLICITY).

What you could do to test it out (a more generic fix) is the following:

mv /usr/share/rear/restore/DUPLICITY/default/50_selinux_autorelabel.sh /usr/share/rear/restore/default/

This way it will always being executed with any backup method. Please return feedback ;-)

v1p3r0u5 commented at 2015-09-15 07:22:

@gdha Thank you very much for the answer. I could test your recommendation. For me it worked like a charm to move the autorelabel script :-)


[Export of Github issue for rear/rear.]