Restorecon does not work on override config directories

boredsquirrel · February 6, 2025, 1:39pm

I want to create a systemd resolved override config and automatically fix its SELinux labels

# create an overwrite directory

mkdir /etc/systemd/resolved.conf.d
cd /etc/systemd/resolved.conf.d

# write an overwrite config here:

cat > private-dns.conf <<EOF
[Resolved]
DNSSEC=yes
DNSOverTLS=yes
DNS=185.150.99.255 5.1.66.255 2001:678:e68:f000:: 2001:678:ed0:f000::
FallbackDNS=9.9.9.9 149.112.112.112
EOF

# display labels
ls -lZ
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 143  6. Feb 14:20 private-dns.conf

# automatically restore labels
# should be "system_u:object_r:etc_t:s0"
restorecon .

# still the same label

Is there some policy missing, what labels files in these standardized override locations should have?

Instead I would use

chcon system_u:object_r:etc_t:s0 *

ls -lZ
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 143  6. Feb 14:20 private-dns.conf

To fix the labels manually. But this seems wrong.

runiqo · February 6, 2025, 1:53pm

So first of all, matchpathcon /etc/systemd/resolved.conf.d/private-dns.conf tells me that your file ought to have a context of system_u:object_r:systemd_conf_t:s0.

Regarding your actual problem: Maybe you just forgot the -R switch to restorecon? You invoke restorecon . on the directory, not the file.

boredsquirrel · February 6, 2025, 3:30pm

Nice, didnt know of matchpathcon

In my case I have no /etc/systemd/resolved.conf so I cannot use it there. And using it on files where I changed the labels manually also outputs <<none>>

No, I tried everything, *, -R and it didnt change

I also tried this

cd /etc/systemd/
echo -Z "" > resolved.conf

and it was unconfined

cra · February 6, 2025, 5:24pm

matchpathcon just tells you what SELinux has configured for the file_context of a path–it doesn’t look at or change files on disk. restorecon -R should restore the actual directory/files to what is configured in SELinux when you run it. You show that you ran restorecon . but that would only fix the context of the directory, not the files within the directory. If you run restorecon -v -R /etc/systemd/resolved.conf.d it should fix the file contexts of the directory and all files in there. This is what happens when I do that on Fedora 41:

>sudo mkdir /etc/systemd/resolved.conf.d
>sudo touch /etc/systemd/resolved.conf.d/foo.conf
>sudo restorecon -v -R /etc/systemd/resolved.conf.d
Relabeled /etc/systemd/resolved.conf.d from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:systemd_conf_t:s0
Relabeled /etc/systemd/resolved.conf.d/foo.conf from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:systemd_conf_t:s0

vgaetera · February 7, 2025, 12:33am

This won’t be an issue if you use the proper flags from the start:

sudo mkdir -p -Z ...

mkdir: make directories | coreutils Commands | Man Pages | ManKier

boredsquirrel · February 7, 2025, 1:01am

Right, forgot about that. I will check if this enables restorecon

Topic		Replies	Views
Fedora Doc error about setting up an Nspawn container Project Discussion server-wg , containers-sig , docs-team	11	107	August 21, 2024
F34 Update warning: %triggerpostun(container-selinux-2:2.162.1-3.fc34.noarch) scriptlet failed, exit status 255 Ask Fedora f34	2	563	May 27, 2021
Systemd-resolved with DoT and DNSSEC configuration Ask Fedora problem , f38 , systemd-resolved , f39 , workstation	3	833	December 22, 2023
DNS server changes not being applied Ask Fedora systemd-resolved , dns , server	16	17511	April 12, 2024
Systemd-resolved etc/systemd/resolved.conf not found Ask Fedora	14	308	January 26, 2025

Restorecon does not work on override config directories

Related topics