Restore SELinux label of crypttab file

coiby · coiby · commit fe2891da11ce · 2025-11-07T13:53:30.000+08:00
Currently, for LUKS encrypted dump target, the system can have booting problem with relatively older selinux-policy e.g. 40.13.21-1.el10 or 38.1.65-1.el9.noarch, [*** ] Job dev-disk-by\x2duuid-55f4fce1\x2…tart running (1min 21s / 1min 30s) ... [ TIME ] Timed out waiting for device dev-d…f4fce1-cd7f-43a6-8729-f0edcd048d73. [DEPEND] Dependency failed for luks.mount - /luks. [DEPEND] Dependency failed for local-fs.target - Local File Systems. [DEPEND] Dependency failed for selinux-auto…k the need to relabel after reboot. ... [FAILED] Failed to start kdump.service - Crash recovery kernel arming. See 'systemctl status kdump.service' for details. You are in emergency mode. After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, or "exit" to continue bootup. [ 4.375155] systemd-cryptsetup-generator[690]: Failed to open /etc/crypttab: Permission denied [ 4.376555] audit: type=1400 audit(1762134586.538:4): avc: denied { open } for pid=690 comm="systemd-cryptse" path="/etc/crypttab" dev="vda3" ino=16916076 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 This happens because the updated crypttab file for LUKS dump target has incorrect SELinux label as it's created by mktemp. As a result, SELinux will prevent systemd-cryptsetup-generator from accessing crypttab and the encrypted dump target can fail to mount, # ls -Z /etc/crypttab unconfined_u:object_r:user_tmp_t:s0 /etc/crypttab Restore the SELinux label of crypttab to fix this issue, # ls -Z /etc/crypttab unconfined_u:object_r:etc_t:s0 /etc/crypttab Although this issue no longer happens to newer selinux-policy like policy-42.1.9-1.el10.noarch, it's better to restore the SELinux label of crypttab file. Fixes: 4e0d4ca ("Add kdumpctl setup-crypttab subcommand") Signed-off-by: Coiby Xu <coxu@redhat.com>
diff --git a/kdumpctl b/kdumpctl
@@ -1316,6 +1316,7 @@ setup_crypttab()
 		return 0
 	else
 		mv "$temp_file" "$CRYPTTAB_FILE"
+		restorecon "$CRYPTTAB_FILE"
 		dinfo "Success! $CRYPTTAB_FILE has been updated."
 
 		# Parse status updates and report on each changed UUID
diff --git a/spec/kdumpctl_setup_crypttab_spec.sh b/spec/kdumpctl_setup_crypttab_spec.sh
@@ -5,6 +5,10 @@ Describe "kdumpctl "
 	dinfo() {
 		echo "$1"
 	}
+	restorecon() {
+		:
+	}
+
 	Describe "setup_crypttab()"
 		# Set up global variables and mocks for each test
 		# shellcheck disable=SC2016 # expand expression later
