In Rocky linux image /etc/localtime is created with invalid SELinux type

[wietmann]

On Rocky linux /etc/localtime symlink is created by common script https://github.com/lavabit/robox/blob/master/scripts/common/localtime.sh with SELinux type etc_t. However, the correct type is locale_t. This causes timedatectl to fail when changing timezone:

[root@docker0 ~]# ls -Z /etc/localtime 
unconfined_u:object_r:etc_t:s0 /etc/localtime

[root@docker0 ~]# timedatectl set-timezone Europe/Moscow 
Failed to set time zone: Failed to update /etc/localtime

[root@docker0 ~]# audit2why < /var/log/audit/audit.log 
type=AVC msg=audit(1645011338.373:679): avc:  denied  { unlink } for  pid=4348 comm="timedatex" name="localtime" dev="dm-0" ino=67117496 scontext=system_u:system_r:timedatex_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=lnk_file permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Possibly, there should be additional step to restore default security context on SELinux-enabled distros.

[ladar]

@wietmann the restorecon command will reset the SELinux context on a file or dir. Unfortunately we appear to be using a "common" config module for every distro. So we either need to make that script smarter (like using timedatectl if avail, and/or detect if SELinux is enabled and use chcon. But that would mean adding a context string, which might be different across distros. And not all distros come with restorecon by default.

Creating distro specific localtime.sh is another option but also a pain. I'll add it to the list, but you if your good at bash scripting your welcome to submit a PR with the changes.