Recently, RustDesk has pushed a PR that will change the security context of /usr/lib/rustdesk/rustdesk from lib_t to bin_t by adding this to rpm spec file:
# Change the security context of /usr/lib/rustdesk/rustdesk from `lib_t` to `bin_t`.
if command -v getenforce >/dev/null 2>&1; then
if [ "$(getenforce)" == "Enforcing" ]; then
file_security_context=$(ls -lZ /usr/lib/rustdesk/rustdesk 2>/dev/null | awk -F':' '{print $3}')
if [ "${file_security_context}" == "lib_t" ]; then
chcon -t bin_t /usr/lib/rustdesk/rustdesk || true
fi
fi
fi
I have tested on traditional Fedora 41, it is working without any problems, but not on Aurora(Installed with rpm-ostree layering) nor Bluefin (Custom image built on GH Actions), but works with ghcr.io/ublue-os/kinoite-main:41 custom image? Very weird.
I thought it may be some weird behavior due to Atomic systems, so I tried dnf5 and rpm-ostree, none of them changed the results. So I manually add the command that added to the rpm spec file, but it returns the errors in the blow, the restorecon one is from ChatGPT, but still nothing changed.
Unfortunately their change is a partial implementation on what is required.
Currently the file has no file context. When using chcon it is expecting there to be an existing file context. In this case you will need to provide the entire context.
Generally speaking I would recommend using semanage fcontext as well since chcon doesn’t actually update SELinux.
Realistically, I’m a bit confused on why this is being shipped as the mechanism to solve their SELinux issues. While it works it also means that restorecon would likely remove it.
Thanks, after some ChatGPT stuff it returned this:
%post
# Modify the SELinux security context of /usr/lib/rustdesk/rustdesk from lib_t to bin_t.
if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" == "Enforcing" ]; then
# Check if semanage is available
if command -v semanage >/dev/null 2>&1; then
# Add a permanent file context rule
semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk" || {
echo "Failed to add fcontext with semanage." >&2
exit 1
}
# Apply the file context
restorecon -v "/usr/lib/rustdesk/rustdesk" || {
echo "Failed to restorecon for /usr/lib/rustdesk/rustdesk." >&2
exit 1
}
else
# If semanage is not available, attempt to use a complete chcon
file_security_context=$(stat -c %C /usr/lib/rustdesk/rustdesk 2>/dev/null | awk '{print $3}')
if [ "${file_security_context}" == "lib_t" ] || [ -z "${file_security_context}" ]; then
chcon system_u:object_r:bin_t:s0 /usr/lib/rustdesk/rustdesk || {
echo "Failed to change SELinux context for /usr/lib/rustdesk/rustdesk." >&2
exit 1
}
fi
fi
fi
So I try manually add
semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk"
restorecon -v "/usr/lib/rustdesk/rustdesk"
To my custom image build, and it works, but I have question, will [ "$(getenforce)" == "Enforcing" ] be true in the custom image build?
Or, don’t check SELinux status, only check the command existent, because it won’t bother anything if SELinux is disabled?
Second question: is # If semanage is not available, attempt to use a complete chcon part required? semanage should exists on all SELinux based distros?
semanage is not always present (I believe it’s written in Python.) Normally its always present on desktops but often missing from minimal server installs.
I believe restorecon and chcon I believe are always present.
Often, Fedora provides a second rpm that contains the resulting files that semanage produces so restorecon will work.
I found semanage is in policycoreutils-python-utils meta package, and it also contains policycoreutils as dependencies which contains restorecon
this package is available on
Fedora 41
OpenSUSE Tumbleweed
OpenSUSE Leap 15.6
Redhat ubi 8, 9
CentOS Stream 9
Can’t make dnf cache on CentOS Stream 10 for somehow, but I assume it have
Other RHEL variant didn’t checked, but should have
Normally its always present on desktops but often missing from minimal server installs.
But it is a remote desktop software, which only works if the system have GUI, and I think it is reasonable to add policycoreutils-python-utils in the Recommends: or Requires: section in rpm spec file.
I’m testing running commands directly in the custom image, the getenforce will return Disabled which will make the command in if never run
bash-5.2# getenforce
Disabled
The AI continuously said I should check SELinux status before running semanage and restorecon command, because it may fail, but from my testing, it is not
bash-5.2# semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk"
libsemanage.semanage_rename: WARNING: rename(/etc/selinux/targeted/active, /etc/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags()
bash-5.2# echo $?
0
bash-5.2# restorecon -v "/usr/lib/rustdesk/rustdesk"
bash-5.2# echo $?
0