RHEL/CentOS: Update SELinux Contexts without Rebooting by Using setfiles Command

[Poorna-Gottimukkula1]

This PR update setup script to avoid a reboot when updating SELinux contexts. The change replaces the touch /.autorelabel command with setfiles -F /etc/selinux/targeted/contexts/files/file_contexts /, which applies the required SELinux file context updates without needing a system reboot. This reduces setup time and eliminates the need for an additional system restart after completing the setup

[sudeeshjohn]

@Poorna-Gottimukkula1 this works irrespective of the environment’s selinux settings(disabled , permissive and enforcing) ?

[Poorna-Gottimukkula1]

@Poorna-Gottimukkula1 this works irrespective of the environment’s selinux settings(disabled , permissive and enforcing) ?

Yes, tested RHEL-9.6 with various selinux settings(disabled , permissive and enforcing).

[root@test1 ~]# getenforce
Enforcing
[root@test1 ~]# ls -Z /
        system_u:object_r:mnt_t:s0 afs           system_u:object_r:lib_t:s0 lib64          system_u:object_r:bin_t:s0 sbin
        system_u:object_r:bin_t:s0 bin           system_u:object_r:mnt_t:s0 media  system_u:object_r:etc_runtime_t:s0 setup.sh
       system_u:object_r:boot_t:s0 boot          system_u:object_r:mnt_t:s0 mnt            system_u:object_r:var_t:s0 srv
     system_u:object_r:device_t:s0 dev           system_u:object_r:usr_t:s0 opt          system_u:object_r:sysfs_t:s0 sys
        system_u:object_r:etc_t:s0 etc          system_u:object_r:proc_t:s0 proc           system_u:object_r:tmp_t:s0 tmp
  system_u:object_r:home_root_t:s0 home   system_u:object_r:admin_home_t:s0 root           system_u:object_r:usr_t:s0 usr
        system_u:object_r:lib_t:s0 lib       system_u:object_r:var_run_t:s0 run            system_u:object_r:var_t:s0 var
[root@test1 ~]# last -x | grep reboot
reboot   system boot  5.14.0-598.el9.p Tue Jul 22 04:58   still running

[root@test-permissive-set ~]# getenforce
Permissive
[root@test-permissive-set ~]# ls -Z /
        system_u:object_r:mnt_t:s0 afs           system_u:object_r:lib_t:s0 lib64          system_u:object_r:bin_t:s0 sbin
        system_u:object_r:bin_t:s0 bin           system_u:object_r:mnt_t:s0 media  system_u:object_r:etc_runtime_t:s0 setup.sh
       system_u:object_r:boot_t:s0 boot          system_u:object_r:mnt_t:s0 mnt            system_u:object_r:var_t:s0 srv
     system_u:object_r:device_t:s0 dev           system_u:object_r:usr_t:s0 opt          system_u:object_r:sysfs_t:s0 sys
        system_u:object_r:etc_t:s0 etc          system_u:object_r:proc_t:s0 proc           system_u:object_r:tmp_t:s0 tmp
  system_u:object_r:home_root_t:s0 home   system_u:object_r:admin_home_t:s0 root           system_u:object_r:usr_t:s0 usr
        system_u:object_r:lib_t:s0 lib       system_u:object_r:var_run_t:s0 run            system_u:object_r:var_t:s0 var
[root@test-permissive-set ~]# last -x | grep reboot
reboot   system boot  5.14.0-570.28.1. Wed Jul 23 03:28   still running

[root@test-disabled-set ~]# getenforce
Disabled
[root@test-disabled-set ~]# ls -Z /
        system_u:object_r:mnt_t:s0 afs           system_u:object_r:lib_t:s0 lib64          system_u:object_r:bin_t:s0 sbin
        system_u:object_r:bin_t:s0 bin           system_u:object_r:mnt_t:s0 media  system_u:object_r:etc_runtime_t:s0 setup.sh
       system_u:object_r:boot_t:s0 boot          system_u:object_r:mnt_t:s0 mnt            system_u:object_r:var_t:s0 srv
                                 ? dev           system_u:object_r:usr_t:s0 opt                                     ? sys
        system_u:object_r:etc_t:s0 etc                                    ? proc           system_u:object_r:tmp_t:s0 tmp
  system_u:object_r:home_root_t:s0 home   system_u:object_r:admin_home_t:s0 root           system_u:object_r:usr_t:s0 usr
        system_u:object_r:lib_t:s0 lib                                    ? run            system_u:object_r:var_t:s0 var
[root@test-disabled-set ~]# last -x | grep reboot
reboot   system boot  5.14.0-570.28.1. Wed Jul 23 03:35   still running

I don't see any issue, regardless of the environment's SELinux settings (image build VM).

[mkumatag]

Approximately how much time we can save with this change?

[Poorna-Gottimukkula1]

Approximately how much time we can save with this change?

Around 1.5 - 2 m

I just triggered the OCP deploy using the newly created image.

module.bastion.null_resource.bastion_init[0]: Creation complete after 2m28s [id=6955633628581543805]

Previous three jobs took around 4m42s

1. module.bastion.null_resource.bastion_init[0]: Creation complete after 4m42s [id=1235290572954074843]
2. module.bastion.null_resource.bastion_init[0]: Creation complete after 4m42s [id=5945047114692171536]
3. module.bastion.null_resource.bastion_init[0]: Creation complete after 4m43s [id=7535059377970327901]

[mkumatag]

This is just wow!

Around 1.5 - 2 m

[mkumatag]

@sudeeshjohn can you review and merge this PR if all okay?

[sudeeshjohn]

@Poorna-Gottimukkula1 did you test this for rhel10 ?

[Poorna-Gottimukkula1]

@Poorna-Gottimukkula1 did you test this for rhel10 ?

I haven’t tested it on RHEL-10 yet. the image build works fine, I’ll test the image and update here once it’s done.

[Poorna-Gottimukkula1]

Tested this on RHEL-10

[root@rhel-10-setfiles ~]# getenforce
Enforcing
[root@rhel-10-setfiles ~]#  last -x | grep reboot
reboot   system boot  6.12.0-55.9.1.el Thu Aug  7 14:19   still running
[root@rhel-10-setfiles ~]# ls -Z /
        system_u:object_r:mnt_t:s0 afs           system_u:object_r:lib_t:s0 lib64          system_u:object_r:bin_t:s0 sbin
        system_u:object_r:bin_t:s0 bin           system_u:object_r:mnt_t:s0 media  system_u:object_r:etc_runtime_t:s0 setup.sh
       system_u:object_r:boot_t:s0 boot          system_u:object_r:mnt_t:s0 mnt            system_u:object_r:var_t:s0 srv
     system_u:object_r:device_t:s0 dev           system_u:object_r:usr_t:s0 opt          system_u:object_r:sysfs_t:s0 sys
        system_u:object_r:etc_t:s0 etc          system_u:object_r:proc_t:s0 proc           system_u:object_r:tmp_t:s0 tmp
  system_u:object_r:home_root_t:s0 home   system_u:object_r:admin_home_t:s0 root           system_u:object_r:usr_t:s0 usr
        system_u:object_r:lib_t:s0 lib       system_u:object_r:var_run_t:s0 run            system_u:object_r:var_t:s0 var
[root@rhel-10-setfiles ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="10.0 (Coughlan)"
ID="rhel"
ID_LIKE="centos fedora"
VERSION_ID="10.0"
PLATFORM_ID="platform:el10"
PRETTY_NAME="Red Hat Enterprise Linux 10.0 (Coughlan)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:10::baseos"
HOME_URL="https://www.redhat.com/"
VENDOR_NAME="Red Hat"
VENDOR_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/10"
BUG_REPORT_URL="https://issues.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 10"
REDHAT_BUGZILLA_PRODUCT_VERSION=10.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="10.0"

[mkumatag]

/lgtm

/hold
for @sudeeshjohn to give a final ack and merge

[sudeeshjohn]

/lgtm

[ppc64le-cloud-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mkumatag, Poorna-Gottimukkula1, sudeeshjohn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mkumatag]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Poorna-Gottimukkula1]

Tested this on 8.10 as well.

[root@test1-810 ~]# getenforce
Enforcing
[root@test1-810 ~]#  last -x | grep reboot
reboot   system boot  4.18.0-553.69.1. Wed Aug 13 02:31   still running
[root@test1-810 ~]#  ls -Z /
        system_u:object_r:bin_t:s0 bin            system_u:object_r:mnt_t:s0 media  system_u:object_r:etc_runtime_t:s0 setup.sh
       system_u:object_r:boot_t:s0 boot           system_u:object_r:mnt_t:s0 mnt            system_u:object_r:var_t:s0 srv
     system_u:object_r:device_t:s0 dev            system_u:object_r:usr_t:s0 opt          system_u:object_r:sysfs_t:s0 sys
        system_u:object_r:etc_t:s0 etc           system_u:object_r:proc_t:s0 proc           system_u:object_r:tmp_t:s0 tmp
  system_u:object_r:home_root_t:s0 home    system_u:object_r:admin_home_t:s0 root           system_u:object_r:usr_t:s0 usr
        system_u:object_r:lib_t:s0 lib        system_u:object_r:var_run_t:s0 run            system_u:object_r:var_t:s0 var
        system_u:object_r:lib_t:s0 lib64          system_u:object_r:bin_t:s0 sbin
[root@test1-810 ~]#  cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.10 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://issues.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"
[root@test1-810 ~]#

[sudeeshjohn]

/unhold