SELinux and restorecon

quba42 · June 18, 2024, 3:17pm

Problem:

When installing Katello with SELinux enabled, restorecon -Rnv wants to relabel a lot of (presumably all) pulp artifacts, e.g.:

Would relabel /var/lib/pulp/media/artifact/1c/40cb34de3bdd67fd0ab13794addf8a3ea52d7212026a18b5484275aab4370c from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/1c/b589911d02b03a25d0edc66f13b8f7744a2a7a69767a436a137704cb0e1e99 from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/95/d32f1f9af09ce6fedaaaecc81e93ca2c0b8dea30a8dd5f0606ff81763ed984 from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/95/340ec05d7690fb2aa83beeca3579f8b429e37092e0aab84671b796698dafb0 from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Would relabel /var/lib/pulp/media/artifact/ef/76c3a2fbcf389254efdb1249e73c9763192c2edb5835b6144886c1b4f30c93 from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
...

The question is if this is indicative of a packaging issue with pulpcore-selinux, or if this is harmless/by design?

I know very little about selinux, so I am not even sure the question makes sense. We have previously asked around the Foreman discourse, but did not get much traction there: Restorecon would relabel a lot of files - Support - TheForeman

Pulpcore version:

As installed via RPM for Katello, e.g.: pulpcore 3.39

ggainey · June 18, 2024, 7:10pm

How “old” was the system that was installing, what version of pulpcore-sleinux was there originally, and what version of pulpcore-selinux is now installed?

2.0 was released last year with “Set file contexts for all of /var/lib/pulp by @ekohl in #69 - Note: The above removes the ability to exist alongside Pulp 2.”, and 2.0.1 in January.

quba42 · June 19, 2024, 1:20pm

The test systems are using pulpcore-selinux-2.0.1-1.el8.x86_64.rpm.

We went and had another look. One test system was unaffected immediately after the initial installation (which already involves some small Pulp repo syncs). On another test system with a significant amount of content restorecon found various Pulp artifacts it wanted to relabel. However, this only affected a small number of the overall number of artifacts. In all cases the proposed relabling was:

from system_u:object_r:pulpcore_server_var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0

If I search in GitHub - pulp/pulpcore-selinux: A Pulp 3 SELinux policy I can find both pulpcore_server_var_lib_t and pulpcore_var_lib_t, but I have no idea what that means.

ggainey · June 19, 2024, 1:49pm

As I understand it (I am not an selinux-expert at all, at all), we moved from pulpcore_server_var_lib_t to pulpcore_var_lib_t with 2.0. So the relabel is prob for content that happened before that, and that didn’t get relabelled when 2.0 was installed. @mikedep333 , when you get a chance, can you chime in here?