User shells do not run as unconfined_u:unconfined_r:unconfined_t SELinux context, leading to various issues

Solution Verified - Updated -

Issue

  • Checking the SELinux context with id -Z, I can see that the shell is not running as unconfined_u:unconfined_r:unconfined_t but system_u:system_r:xxx instead

    # id -Z
    system_u:system_r:initrc_t:s0-s0:c0.c1023
    

    or

    # id -Z
    system_u:system_r:inetd_child_t:s0-s0:c0.c1023
    

    or any other context starting with system_u:system_r.

  • yum update kernel fails in RPM scriptlets (seen when shell runs as SELinux context inetd_child_t)

    # yum -y update kernel
    [...]
    [...]: warning: %post(kernel-3.10.0-1127.10.1.el7.x86_64) scriptlet failed, exit status 127
    [...]: warning: %triggerin(microcode_ctl-2:2.1-61.6.el7_8.x86_64) scriptlet failed, exit status 127
    [...]: warning: %posttrans(kernel-3.10.0-1127.10.1.el7.x86_64) scriptlet failed, exit status 127
    
  • SSH logins take 10 seconds and 'abrt-cli status' timed out error message is printed (seen when shell runs as SELinux context initrc_t)

    $ ssh <user>@<system>
    [... 10 seconds delay ...]
    'abrt-cli status' timed out
    <user@<system> $ 
    

Environment

  • Red Hat Enterprise Linux 6 and later
    • powerbroker (pblocald, pmlocald)
    • vshelld

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content