Bug#906729: Please fix SELinux labels of /vmlinuz symlink after kernel update

To: 906729@bugs.debian.org
Subject: Bug#906729: Please fix SELinux labels of /vmlinuz symlink after kernel update
From: Christian Göttsche <cgzones@googlemail.com>
Date: Sat, 25 Jan 2020 19:42:53 +0100
Message-id: <[🔎] CAJ2a_DeC0vUiky65EjWXbvDBqSWUV8ibm35=9peOgoejkCZPaA@mail.gmail.com>
Reply-to: Christian Göttsche <cgzones@googlemail.com>, 906729@bugs.debian.org
In-reply-to: <CAJ2a_Df4g6j8ZdDn8fXQy1ucamap7E+rbX3Y9zHSHnZ=EtxzQg@mail.gmail.com>
References: <CAJ2a_Df4g6j8ZdDn8fXQy1ucamap7E+rbX3Y9zHSHnZ=EtxzQg@mail.gmail.com> <153475781975.8041.4969759210085056376.reportbug@valinor.bigon.be>

It is not needed for anything to work correctly; it is just that
objects should have the context defined by the SELinux policy. The
root_t context should only be used by the root path directory,
anything else is suspicious and should be avoided. Also if one sets up
an alert for incorrect labeled objects (e.g. via repeatedly running
restorecon -v -R -n /) this mislabeling would trigger.


--- /var/lib/dpkg/info/linux-image-5.4.0-3-amd64.postinst
2020-01-19 10:22:58.000000000 +0100
+++ /root/workspace/linux-image-5.4.0-3-amd64.postinst  2020-01-25
19:29:15.264928445 +0100
@@ -15,6 +15,8 @@
     change=upgrade
 fi
 linux-update-symlinks $change $version $image_path
+# set SELinux context (#906729)
+which restorecon >/dev/null 2>&1 && restorecon /vmlinuz /initrd.img
 rm -f /lib/modules/$version/.fresh-install

 if [ -d /etc/kernel/postinst.d ]; then

Reply to:

Prev by Date: Bug#949833: linux-image-5.4.0-3-arm64: MACCHIATObin fails to boot
Next by Date: Processed: Re: Bug#949727: firmware-misc-nonfree: Missing dependency initramfs-tools-core
Previous by thread: Bug#949833: linux-image-5.4.0-3-arm64: MACCHIATObin fails to boot
Next by thread: Processed: tagging 906729
Index(es):
- Date
- Thread