Re: [CentOS] Issues trying to change the selinux context
On Wed, May 08, 2019 at 01:04:02PM -0400, mark wrote: > Hmmm, didn't complain when I did that... but they're still bin_t, not lib_t. 'semanage fcontext ...' updates the policy, but doesn't actually change the context on the paths (which may or may not even exist at the time the command runs). Run 'restorecon -r -v /your/path/with/actual/files' to reassign the selinux attributes to reflect the new fcontext policy. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues trying to change the selinux context
On May 8, 2019, at 11:44 AM, mark wrote: > > Warren Young wrote: >> On May 8, 2019, at 11:04 AM, mark wrote: >> >>> >>> semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so” >> >> Glob expansion doesn’t happen in double quotes. Not in Bash, anyway. > > Huh? I thought it didn't occur in single quotes, but did occur in quotes. Nope. The only difference I’m aware of is that single quotes prevent variable expansion (echo "hello $USER") while double quotes do not. > semanage insists on having the filespec in quotes. No, it just takes a single file spec, which may name a single file or it may be a regex. This, the parens issue, and the symptom you notice with looking at the permission on individual contained files are explained in point 2 of the section "Changing a Directory's Type” here: https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues trying to change the selinux context
Warren Young wrote: > On May 8, 2019, at 11:04 AM, mark wrote: > >> >> semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so” > > Glob expansion doesn’t happen in double quotes. Not in Bash, anyway. Huh? I thought it didn't occur in single quotes, but did occur in quotes. Odd, I'm seeing it doesn't, at least in a basic test. On the other hand, from the example in the man page, semanage insists on having the filespec in quotes. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues trying to change the selinux context
On May 8, 2019, at 11:04 AM, mark wrote: > > semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so” Glob expansion doesn’t happen in double quotes. Not in Bash, anyway. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues trying to change the selinux context
Warren Young wrote: > On May 8, 2019, at 9:31 AM, mark wrote: > >> semanage -fcontext -a -t lib_t "//smwa/webagent/bin(/.*).so” > > [snip] > >> What am I doing wrong? >> > Also, I’m confused by the parens in your file path. Whether your shell > is or not is a different question. I'm following the manpage, semanage-fcontext, example as much as possible. EXAMPLE remember to run restorecon after you set the file context Add file-context for everything under /web # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" # restorecon -R -v /web If semanage worked "normally", I'd have been able to do semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so" Hmmm, didn't complain when I did that... but they're still bin_t, not lib_t. On the selinux list, I was asked for the context of the directory, which is bin_t, which might be correct... if the idiots of CA had a ./lib directory, which they do not. Windows turkeys mark mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues trying to change the selinux context
On May 8, 2019, at 9:31 AM, mark wrote: > > semanage -fcontext -a -t lib_t "//smwa/webagent/bin(/.*).so” [snip] > What am I doing wrong? -fcontext isn’t an option, it’s a verb; drop the dash. Also, I’m confused by the parens in your file path. Whether your shell is or not is a different question. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Issues trying to change the selinux context
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs... Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to set the .so's to lib_t. semanage -fcontext -a -t lib_t "//smwa/webagent/bin(/.*).so" gives me the completely unexpected response of semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit') What am I doing wrong? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
