Systemd rc-local service doesn't work on Fedora 40 until selinux contexts are set on rc.local script

The man page for the rc-local at man systemd-rc-local-generator
doesn’t mention setting the Selinux context on the script you add to /etc/rc.d/rc.local but in my experience on Fedora 40, my rc-local service would not run at boot time until I did this in the /etc/rc.d/ directory:

sudo semanage fcontext -a -t systemd_rc_local_generator_exec_t  rc.local
sudo restorecon -v rc.local

After that if I rebooted, the rc.local generator would run correctly. Shouldn’t that man page make it clear you have to set those contexts or is this bug and that should not be necessary?

Added systemd

Restoring the default label works just fine:

sudo tee /etc/rc.d/rc.local << "EOF" > /dev/null
#!/usr/bin/bash
touch /tmp/test
EOF
sudo chmod +x /etc/rc.d/rc.local 
sudo restorecon /etc/rc.d/rc.local
sudo systemctl restart rc-local.service

Adding a file context record is redundant.

I was doing exactly the command the “Selinux Alert Browser” parroted to me to do that it said would correct the problem.

For the “semanage” one, it offered a whole list of -t options strings, I picked the systemd_rc_local_generator_exec_t because it seemed the logical one (since the rc-local is a generator)

The record you posted above won’t work due to incorrect file spec.
The correct file spec is already preinstalled and looks like this:

> sudo semanage fcontext -l | grep -e "/etc/rc[\][.]d/rc[\][.]"
/etc/rc\.d/rc\.[^/]+                               regular file       system_u:object_r:initrc_exec_t:s0

Apparently the instructions provided by the automated helper are not always optimal.

I turned that into a note in the man page: man: add note about selinux to rc-local by keszybz · Pull Request #32896 · systemd/systemd · GitHub

If you just create /etc/rc.d/rc.local it will inherit the label from /etc/rc.d, which is “etc_t”. This will also work as the generator is allowed to access files labeld with “etc_t”.