Preserving SELinux Contexts
Reference Number: AA-00410 Views: 331 Created: 02-28-2017 12:34 Last Updated: 02-28-2017 13:15

Symptoms: 

When migrating an SELinux-enabled server workload, temporary SELinux security context attributes are not preserved.

Applies To:

DynaCenter 4.6.0 and later

Background: 

SELinux security context settings on files and directories are preserved during the migration operation if they are permanently set in the /etc/selinux/targeted/contexts/files directory via the semanage command. The SELinux security context on files labeled using the temporary chcon command will not be preserved during the migration operation.

More Information:

For more information on the chcon command, see this RedHat document.

For more information on the semanage command, see this RedHat document.

If the semanage and restorecon tools are not on your RHEL5/CentOS5 system, run yum -y install policycoreutils to install them.

If the semanage and restorecon tools are not on your RHEL6/CentOS6 system, run yum -y install policycoreutils-python to install them.

Resolution: 

Use the following procedure to ensure that your SELinux security context labels are preserved:

1.  Before you begin the migration, run the following command to find files with modified SELinux context settings that differ from the current policy:

restorecon -rnv / 

This will identify files labeled using the temporary chcon command. 

Note: The -n option prevents any changes from being made. 

2.  For each file listed in the output generated in Step 1, use semanage to set the security context for attributes that should be preserved after migration.

3.  After the migration completes, do one of the following:

•  On a RHEL5/CentOS5 system, modify the SELinux state in /etc/selinux/config to permissive or enforcing as desired, then touch /.autorelabel and reboot. 

    This will restore all permanent SELinux security context attributes.

•  On a RHEL6/CentOS6 system, modify the SELinux state in /etc/selinux/config to permissive or enforcing as desired, then reboot. 

    The detected change from disabled to permissive or enforcing will force relabeling and restoration of all permanent SELinux security context attributes.