Selinux relabels any directory that is bind mounted

Solution In Progress - Updated -

Issue

  • After RHSA-2022:5068 - Security Advisory is applied on RHEL8 machine (workernode in OCP cluster) we have issue with selinux context on directory/files /etc/sysconfig. Bad context permission cause network issue. Network manager can't read file /etc/sysconfig/network-scripts/ifcfg-ens160

Before RHSA-2022:5068 - Security Advisory update SELinux context was

root@classrooom.example.com network-scripts# ls -hlZ /etc/sysconfig/
total 104K
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          374 May 16  2019 anaconda
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0       72 Jul 26  2019 authconfig
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0           95 May 28  2021 chronyd
drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0            6 Feb 15  2021 console
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          150 Apr 12 17:47 cpupower
-rw-r--r--. 1 root root system_u:object_r:bin_t:s0          110 Jun 12  2019 crond
-rw-------. 1 root root system_u:object_r:system_conf_t:s0  417 Aug 12  2021 ebtables-config
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0           73 Mar  4 15:04 firewalld
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          111 Mar  9 15:12 goferd
lrwxrwxrwx. 1 root root system_u:object_r:etc_t:s0           15 Aug 19  2021 grub -> ../default/grub
-rw-------. 1 root root system_u:object_r:system_conf_t:s0  635 Aug 12  2021 ip6tables
-rw-------. 1 root root system_u:object_r:system_conf_t:s0 2.1K Aug 12  2021 ip6tables-config
-rw-------. 1 root root system_u:object_r:system_conf_t:s0  550 Aug 12  2021 iptables
-rw-------. 1 root root system_u:object_r:system_conf_t:s0 2.1K Aug 12  2021 iptables-config
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          903 Jan 30  2021 irqbalance
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0         2.5K Nov  2  2021 kdump
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          185 May  3 03:02 kernel
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          310 Jun 24  2021 man-db
drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0            6 Feb 15  2021 modules
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          110 Mar  9 15:07 network
drwxr-xr-x. 2 root root system_u:object_r:net_conf_t:s0     110 Mar 21 22:53 network-scripts
-rw-------. 1 root root system_u:object_r:etc_t:s0          364 Aug 20  2021 nftables.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          999 Mar 11 11:21 openvswitch
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0            0 Mar 11 11:27 orig_irq_banned_cpus
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0           92 Oct 22  2020 puppet
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0           87 Oct 22  2020 pxp-agent
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0         2.9K Aug  5  2021 raid-check
drwxr-xr-x. 4 root root system_u:object_r:rhnsd_conf_t:s0    77 Jun 21  2019 rhn
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0           73 Nov 24  2020 rpcbind
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          196 Aug  6  2021 rsyslog
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0            0 Jan  8  2021 run-parts
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0          428 Feb 22 12:41 samba
lrwxrwxrwx. 1 root root system_u:object_r:etc_t:s0           17 Sep  3  2019 selinux -> ../selinux/config
-rw-r-----. 1 root root system_u:object_r:etc_t:s0          591 Jul 12  2021 sshd

After RHSA-2022:5068 - Security Advisory was applied SELinux Context changes to:

root@classroom.example.com network-scripts# ls -hlZ /etc/sysconfig/
total 108K
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      374 May 16  2019 anaconda
-rw-r--r--. 1 root root unconfined_u:object_r:container_file_t:s0   72 Jul 26  2019 authconfig
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0       95 May 28  2021 chronyd
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0        6 Feb 15  2021 console
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      150 Apr 16 04:36 cpupower
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      110 Sep 30  2021 crond
-rw-------. 1 root root system_u:object_r:container_file_t:s0      417 Nov 29 16:23 ebtables-config
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0       73 Feb 24 14:04 firewalld
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      111 Mar  9 15:12 goferd
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0       15 Mar 28 16:12 grub -> ../default/grub
-rw-------. 1 root root system_u:object_r:container_file_t:s0      635 Nov 29 16:23 ip6tables
-rw-------. 1 root root system_u:object_r:container_file_t:s0     2.1K Nov 29 16:23 ip6tables-config
-rw-------. 1 root root system_u:object_r:container_file_t:s0      550 Nov 29 16:23 iptables
-rw-------. 1 root root system_u:object_r:container_file_t:s0     2.1K Nov 29 16:23 iptables-config
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      903 Jan 30  2021 irqbalance
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0     2.5K Jan 27 12:59 kdump
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      185 May 16 11:51 kernel
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      310 Jun 24  2021 man-db
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0        6 Feb 15  2021 modules
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      110 Mar  9 15:07 network
drwxr-xr-x. 2 root root system_u:object_r:container_file_t:s0      110 Mar 21 18:17 network-scripts
-rw-------. 1 root root system_u:object_r:container_file_t:s0      364 Feb 24 14:05 nftables.conf
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      999 Mar 11 11:21 openvswitch
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0        0 Mar 11 11:27 orig_irq_banned_cpus
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0       92 Oct 22  2020 puppet
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0       87 Oct 22  2020 pxp-agent
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0     2.9K Feb 24 05:11 raid-check
drwxr-xr-x. 4 root root system_u:object_r:container_file_t:s0       77 Jun 21  2019 rhn
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      160 Nov 23 21:02 rngd
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0       73 Nov 24  2020 rpcbind
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      196 Jan 14 10:46 rsyslog
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0        0 Jan  8  2021 run-parts
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0      428 Mar 18 09:13 samba
lrwxrwxrwx. 1 root root system_u:object_r:container_file_t:s0       17 Sep  3  2019 selinux -> ../selinux/config
-rw-r-----. 1 root root system_u:object_r:container_file_t:s0      591 Oct 26  2021 sshd

Environment

  • Red Hat Enterprise Linux
    • 8.5
    • 8.6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content