0

I have a server running Centos7/XFS with SElinux that had a problem (unrelated to SElinux) and had to be restored from a snapshot that was several weeks old. This server also makes a nightly rsync backup to a dedicated offsite backup Docker container nightly.

I restored the snapshot then restored key files/databases from the nightly backup since I didn't know where the problem was. Unfortunately the restored files' contexts/labels are now completely wrong and show Docker container labels (the restored server does not run Docker). Examples:

In /root:

[root@mail ~]# ls -alZ
dr-xr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..
-rw-------. root root system_u:object_r:container_file_t:s0:c18,c703 anaconda-ks.cfg
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c18,c703 archive
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c18,c703 bak
etc . . .

and /etc files also show container labeling:

[root@mail audit]# ls -alZ
drwxr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0       ..
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 auditd.conf
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 auditd.conf.bak
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 audit.rules
-rw-r-----. root root system_u:object_r:container_file_t:s0:c18,c703 audit-stop.rules
drwxr-x---. root root system_u:object_r:container_file_t:s0:c18,c703 rules.d
etc . . .

I have run touch .autorelabel and rebooted, fixfiles restore, fixfiles relabel and restorecon and even reinstalled targeted policy - all have no effect. The server runs great with Permissive but I would like to get SElinux running again. The server was working perfectly with SElinux enabled prior to the unrelated problem and subsequent restore.

How can I restore the previous (default) SElinux contexts and labels for the entire filesystem without manually crawling the directories and fixing them by hand?

Peleion
  • 293
  • 1
  • 5
  • Can you check whether you get any SELinux errors in ```/var/log/audit/audit.log```? – Yasitha Bogamuwa May 16 '20 at 07:53
  • It's full of errors like `type=1400 audit(1589626140.821:976): avc: denied { read } for pid=995 comm="sshd" name="lastlog" dev="xvda1" ino=8490601 sc ...` for the broken contexts but nothing else. As before, SElinux was working _perfectly_ on this system before the restore. – Peleion May 16 '20 at 10:50

1 Answers1

0

So after a good night's sleep, more digging on ServerFault and man pages I figured out the answer:

`restorecon -vRF '

I was missing the F (force) option - everything works well now.

Peleion
  • 293
  • 1
  • 5