Help to verify this SELinux related scripts on atomic systems (chcon, bin_t)

Recently, RustDesk has pushed a PR that will change the security context of /usr/lib/rustdesk/rustdesk from lib_t to bin_t by adding this to rpm spec file:

# Change the security context of /usr/lib/rustdesk/rustdesk from `lib_t` to `bin_t`.
if command -v getenforce >/dev/null 2>&1; then
  if [ "$(getenforce)" == "Enforcing" ]; then
    file_security_context=$(ls -lZ /usr/lib/rustdesk/rustdesk 2>/dev/null | awk -F':' '{print $3}')
    if [ "${file_security_context}" == "lib_t" ]; then
      chcon -t bin_t /usr/lib/rustdesk/rustdesk || true
    fi
  fi
fi

I have tested on traditional Fedora 41, it is working without any problems, but not on Aurora(Installed with rpm-ostree layering) nor Bluefin (Custom image built on GH Actions), but works with ghcr.io/ublue-os/kinoite-main:41 custom image? Very weird.

I thought it may be some weird behavior due to Atomic systems, so I tried dnf5 and rpm-ostree, none of them changed the results. So I manually add the command that added to the rpm spec file, but it returns the errors in the blow, the restorecon one is from ChatGPT, but still nothing changed.

+ restorecon -v /usr/lib/rustdesk/rustdesk
+ chcon -t bin_t /usr/lib/rustdesk/rustdesk
chcon: can't apply partial context to unlabeled file '/usr/lib/rustdesk/rustdesk'

Unfortunately their change is a partial implementation on what is required.

Currently the file has no file context. When using chcon it is expecting there to be an existing file context. In this case you will need to provide the entire context.

chcon -u system_u -r object_r -t bin_t /usr/lib/rustdesk/rustdesk

Generally speaking I would recommend using semanage fcontext as well since chcon doesn’t actually update SELinux.

Realistically, I’m a bit confused on why this is being shipped as the mechanism to solve their SELinux issues. While it works it also means that restorecon would likely remove it.

For a get things working you can use our old workaround items. An example is here: bazzite/system_files/desktop/shared/usr/lib/systemd/system/incus-workaround.service at 15969013f8005fad062e6bb455fd9fe021dc6c2b · ublue-os/bazzite · GitHub

For more explanation on this workaround see: SELinux Workarounds for binaries with the wrong label

Note restorecon won’t work unless you use semanage fcontext first to properly create a file context.

1 Like

Thanks, after some ChatGPT stuff it returned this:

%post
# Modify the SELinux security context of /usr/lib/rustdesk/rustdesk from lib_t to bin_t.
if command -v getenforce >/dev/null 2>&1 && [ "$(getenforce)" == "Enforcing" ]; then
  # Check if semanage is available
  if command -v semanage >/dev/null 2>&1; then
    # Add a permanent file context rule
    semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk" || {
      echo "Failed to add fcontext with semanage." >&2
      exit 1
    }
    # Apply the file context
    restorecon -v "/usr/lib/rustdesk/rustdesk" || {
      echo "Failed to restorecon for /usr/lib/rustdesk/rustdesk." >&2
      exit 1
    }
  else
    # If semanage is not available, attempt to use a complete chcon
    file_security_context=$(stat -c %C /usr/lib/rustdesk/rustdesk 2>/dev/null | awk '{print $3}')
    if [ "${file_security_context}" == "lib_t" ] || [ -z "${file_security_context}" ]; then
      chcon system_u:object_r:bin_t:s0 /usr/lib/rustdesk/rustdesk || {
        echo "Failed to change SELinux context for /usr/lib/rustdesk/rustdesk." >&2
        exit 1
      }
    fi
  fi
fi

So I try manually add

semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk"
restorecon -v "/usr/lib/rustdesk/rustdesk"

To my custom image build, and it works, but I have question, will [ "$(getenforce)" == "Enforcing" ] be true in the custom image build?

Or, don’t check SELinux status, only check the command existent, because it won’t bother anything if SELinux is disabled?

Second question: is # If semanage is not available, attempt to use a complete chcon part required? semanage should exists on all SELinux based distros?

semanage is not always present (I believe it’s written in Python.) Normally its always present on desktops but often missing from minimal server installs.

I believe restorecon and chcon I believe are always present.

Often, Fedora provides a second rpm that contains the resulting files that semanage produces so restorecon will work.

1 Like

I found semanage is in policycoreutils-python-utils meta package, and it also contains policycoreutils as dependencies which contains restorecon

this package is available on

  • Fedora 41
  • OpenSUSE Tumbleweed
  • OpenSUSE Leap 15.6
  • Redhat ubi 8, 9
  • CentOS Stream 9

Can’t make dnf cache on CentOS Stream 10 for somehow, but I assume it have

Other RHEL variant didn’t checked, but should have

Normally its always present on desktops but often missing from minimal server installs.

But it is a remote desktop software, which only works if the system have GUI, and I think it is reasonable to add policycoreutils-python-utils in the Recommends: or Requires: section in rpm spec file.

I’m testing running commands directly in the custom image, the getenforce will return Disabled which will make the command in if never run

bash-5.2# getenforce
Disabled

The AI continuously said I should check SELinux status before running semanage and restorecon command, because it may fail, but from my testing, it is not

bash-5.2# semanage fcontext -a -t bin_t "/usr/lib/rustdesk/rustdesk"
libsemanage.semanage_rename: WARNING: rename(/etc/selinux/targeted/active, /etc/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags()
bash-5.2# echo $?
0
bash-5.2# restorecon -v "/usr/lib/rustdesk/rustdesk"
bash-5.2# echo $?
0

Cross posted on Fedora Discussions, thanks again! @m2Giles