10:31 a.m.
We're forced to use Siteminder, by CA, who have no clue what they're doing
in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all
their binaries, including .so's, are in there, duh... I'm trying to set
the .so's to lib_t.
semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of
semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from
'import', 'export', 'login', 'user', 'port',
'ibpkey', 'ibendport',
'interface', 'module', 'node', 'fcontext',
'boolean', 'permissive',
'dontaudit')
What am I doing wrong?
mark
10:33 a.m.
there is no - for the fcontext action.
semanage fcontext ...
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
We're forced to use Siteminder, by CA, who have no clue what
they're
doing
in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin
(all
their binaries, including .so's, are in there, duh... I'm trying to set
the .so's to lib_t.
semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of
semanage: error: argument subcommand: invalid choice: 'lib_t' (choose
from
'import', 'export', 'login', 'user', 'port',
'ibpkey', 'ibendport',
'interface', 'module', 'node', 'fcontext',
'boolean', 'permissive',
'dontaudit')
What am I doing wrong?
mark
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
10:37 a.m.
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it
*seemed* to work. But now, I've got a different issue: I did a restorecon
-rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of
lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
> We're forced to use Siteminder, by CA, who have no clue what they're
> doing in *nix. No packages, tarballs...
>
> Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin
> (all
> their binaries, including .so's, are in there, duh... I'm trying to set
> the .so's to lib_t. semanage -fcontext -a -t lib_t
> "/<elided>/smwa/webagent/bin(/.*).so"
>
>
> gives me the completely unexpected response of semanage: error: argument
> subcommand: invalid choice: 'lib_t' (choose
> from 'import', 'export', 'login', 'user',
'port', 'ibpkey', 'ibendport',
> 'interface', 'module', 'node', 'fcontext',
'boolean', 'permissive',
> 'dontaudit')
>
>
> What am I doing wrong?
>
>
> mark
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe
> send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of
> Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec
> t.org
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org To unsubscribe send
an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject
.org
10:44 a.m.
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get
(existing or not (yet) existing paths) without changing anything on the fs.
Am 8. Mai 2019 17:37:52 MESZ schrieb mark <m.roth(a)5-cent.us>:
Thomas wrote:
> there is no - for the fcontext action.
>
> semanage fcontext ...
>
Duh... Yeah, a few minutes after I posted, I realized that, and it
*seemed* to work. But now, I've got a different issue: I did a
restorecon
-rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of
lib_t
> thomas
>
> Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
>
>> We're forced to use Siteminder, by CA, who have no clue what they're
>> doing in *nix. No packages, tarballs...
>>
>> Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin
>> (all
>> their binaries, including .so's, are in there, duh... I'm trying to
set
>> the .so's to lib_t. semanage -fcontext -a -t lib_t
>> "/<elided>/smwa/webagent/bin(/.*).so"
>>
>>
>> gives me the completely unexpected response of semanage: error:
argument
>> subcommand: invalid choice: 'lib_t' (choose
>> from 'import', 'export', 'login', 'user',
'port', 'ibpkey',
'ibendport',
>> 'interface', 'module', 'node', 'fcontext',
'boolean', 'permissive',
>> 'dontaudit')
>>
>>
>> What am I doing wrong?
>>
>>
>> mark
>>
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
unsubscribe
>> send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code
of
>> Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec
>> t.org
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org To
unsubscribe send
> an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of
Conduct:
> https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject
> .org
>
>
12:05 p.m.
Thomas wrote:
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it
would get (existing or not (yet) existing paths) without changing
anything on the fs.
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now,
that might be right... but the idiots of CA, who only know Windows, do not
have a ./lib, and all the .so's are in the bin directory... Am I going to
have to live with that?
mark
Am 8. Mai 2019 17:37:52 MESZ schrieb mark <m.roth(a)5-cent.us>:
> Thomas wrote:
>
>> there is no - for the fcontext action.
>>
>> semanage fcontext ...
>>
> Duh... Yeah, a few minutes after I posted, I realized that, and it
> *seemed* to work. But now, I've got a different issue: I did a
> restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t,
> instead of lib_t
>
>
>> thomas
>>
>> Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
>>
>>
>>> We're forced to use Siteminder, by CA, who have no clue what
>>> they're doing in *nix. No packages, tarballs...
>>>
>>> Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin
>>> (all
>>> their binaries, including .so's, are in there, duh... I'm trying to
> set
>>> the .so's to lib_t. semanage -fcontext -a -t lib_t
>>> "/<elided>/smwa/webagent/bin(/.*).so"
>>>
>>>
>>>
>>> gives me the completely unexpected response of semanage: error:
> argument
>>> subcommand: invalid choice: 'lib_t' (choose
>>> from 'import', 'export', 'login', 'user',
'port', 'ibpkey',
> 'ibendport',
>
>>> 'interface', 'module', 'node', 'fcontext',
'boolean', 'permissive',
>>> 'dontaudit')
>>>
>>>
>>>
>>> What am I doing wrong?
>>>
>>>
>>>
>>> mark
>>>
>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
> unsubscribe
>>> send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code
> of
>>> Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
>>>
> https://fedoraproject.org/wiki/Mailing_list_guidelines
>
>>> List Archives:
>>>
>>>
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
> c
>>> t.org
>> _______________________________________________
>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
> unsubscribe send
>> an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of
> Conduct:
>
>> https://getfedora.org/code-of-conduct.html
>> List Guidelines:
>>
> https://fedoraproject.org/wiki/Mailing_list_guidelines
>
>> List Archives:
>>
>>
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
> ct
>> .org
>>
>>
>>
12:52 p.m.
On 5/8/19 1:05 PM, mark wrote:
Thomas wrote:
> Imho: longest path match wins.
>
>
> can you show your fcontext rules regarding that directory?
>
> tip: with `matchpathcon /path/...` you can try any path what context it
> would get (existing or not (yet) existing paths) without changing
> anything on the fs.
>
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now,
that might be right... but the idiots of CA, who only know Windows, do not
have a ./lib, and all the .so's are in the bin directory... Am I going to
have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file
contexts entries should take precedence over system-provided ones anyway
IIRC. What does setfiles -d
/etc/selinux/targeted/contexts/files/file_contexts
/<path>/smwa/webagent/bin/foo.so report? Note by the way that your
regex only matches things that end in .so, so /path/smwa/webagent/bin
itself wouldn't match. Also note that you should escape the dot (\.so)
if you want it literally and not the regex match-any character.
mark
> Am 8. Mai 2019 17:37:52 MESZ schrieb mark <m.roth(a)5-cent.us>:
>
>> Thomas wrote:
>>
>>> there is no - for the fcontext action.
>>>
>>> semanage fcontext ...
>>>
>> Duh... Yeah, a few minutes after I posted, I realized that, and it
>> *seemed* to work. But now, I've got a different issue: I did a
>> restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t,
>> instead of lib_t
>>
>>
>>> thomas
>>>
>>> Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
>>>
>>>
>>>> We're forced to use Siteminder, by CA, who have no clue what
>>>> they're doing in *nix. No packages, tarballs...
>>>>
>>>> Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin
>>>> (all
>>>> their binaries, including .so's, are in there, duh... I'm trying
to
>> set
>>>> the .so's to lib_t. semanage -fcontext -a -t lib_t
>>>> "/<elided>/smwa/webagent/bin(/.*).so"
>>>>
>>>>
>>>>
>>>> gives me the completely unexpected response of semanage: error:
>> argument
>>>> subcommand: invalid choice: 'lib_t' (choose
>>>> from 'import', 'export', 'login', 'user',
'port', 'ibpkey',
>> 'ibendport',
>>
>>>> 'interface', 'module', 'node',
'fcontext', 'boolean', 'permissive',
>>>> 'dontaudit')
>>>>
>>>>
>>>>
>>>> What am I doing wrong?
>>>>
>>>>
>>>>
>>>> mark
>>>>
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
>> unsubscribe
>>>> send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code
>> of
>>>> Conduct: https://getfedora.org/code-of-conduct.html
>>>> List Guidelines:
>>>>
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>>>> List Archives:
>>>>
>>>>
>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
>> c
>>>> t.org
>>> _______________________________________________
>>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
>> unsubscribe send
>>> an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of
>> Conduct:
>>
>>> https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
>>>
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>>> List Archives:
>>>
>>>
>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
>> ct
>>> .org
>>>
>>>
>>>
>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
1:07 p.m.
On 5/8/19 1:52 PM, Stephen Smalley wrote:
On 5/8/19 1:05 PM, mark wrote:
> Thomas wrote:
>> Imho: longest path match wins.
>>
>>
>> can you show your fcontext rules regarding that directory?
>>
>> tip: with `matchpathcon /path/...` you can try any path what context it
>> would get (existing or not (yet) existing paths) without changing
>> anything on the fs.
>>
> Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now,
> that might be right... but the idiots of CA, who only know Windows, do
> not
> have a ./lib, and all the .so's are in the bin directory... Am I going to
> have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file
contexts entries should take precedence over system-provided ones anyway
IIRC. What does setfiles -d
/etc/selinux/targeted/contexts/files/file_contexts
/<path>/smwa/webagent/bin/foo.so report? Note by the way that your
regex only matches things that end in .so, so /path/smwa/webagent/bin
itself wouldn't match. Also note that you should escape the dot (\.so)
if you want it literally and not the regex match-any character.
What is in that <path> prefix might make a difference. Anyway, the
following contrived example seemed to work correctly (on Fedora):
# mkdir -p /opt/foo/bin
# touch /opt/foo/bin/libc.so
# restorecon -rv /opt/foo
Relabeled /opt/foo/bin from unconfined_u:object_r:usr_t:s0 to
unconfined_u:object_r:bin_t:s0
Relabeled /opt/foo/bin/libc.so from unconfined_u:object_r:usr_t:s0 to
unconfined_u:object_r:bin_t:s0
# semanage fcontext -a -t lib_t "/opt/foo/bin/.*\.so(\.[0-9]+)*"
# touch /opt/foo/bin/libc.so.9
# touch /opt/foo/bin/libc.so.1.0.3
# restorecon -Rv /opt/foo
Relabeled /opt/foo/bin/libc.so.9 from unconfined_u:object_r:bin_t:s0 to
unconfined_u:object_r:lib_t:s0
Relabeled /opt/foo/bin/libc.so.1.0.3 from unconfined_u:object_r:bin_t:s0
to unconfined_u:object_r:lib_t:s0
Relabeled /opt/foo/bin/libc.so from unconfined_u:object_r:bin_t:s0 to
unconfined_u:object_r:lib_t:s0
>
> mark
>> Am 8. Mai 2019 17:37:52 MESZ schrieb mark <m.roth(a)5-cent.us>:
>>
>>> Thomas wrote:
>>>
>>>> there is no - for the fcontext action.
>>>>
>>>> semanage fcontext ...
>>>>
>>> Duh... Yeah, a few minutes after I posted, I realized that, and it
>>> *seemed* to work. But now, I've got a different issue: I did a
>>> restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t,
>>> instead of lib_t
>>>
>>>
>>>> thomas
>>>>
>>>> Am 8. Mai 2019 17:31:13 MESZ schrieb mark <m.roth(a)5-cent.us>:
>>>>
>>>>
>>>>> We're forced to use Siteminder, by CA, who have no clue what
>>>>> they're doing in *nix. No packages, tarballs...
>>>>>
>>>>> Anyway, I'm trying clean up some stuff, and in
/*/smwa/webagent/bin
>>>>> (all
>>>>> their binaries, including .so's, are in there, duh... I'm
trying to
>>> set
>>>>> the .so's to lib_t. semanage -fcontext -a -t lib_t
>>>>> "/<elided>/smwa/webagent/bin(/.*).so"
>>>>>
>>>>>
>>>>>
>>>>> gives me the completely unexpected response of semanage: error:
>>> argument
>>>>> subcommand: invalid choice: 'lib_t' (choose
>>>>> from 'import', 'export', 'login',
'user', 'port', 'ibpkey',
>>> 'ibendport',
>>>
>>>>> 'interface', 'module', 'node',
'fcontext', 'boolean', 'permissive',
>>>>> 'dontaudit')
>>>>>
>>>>>
>>>>>
>>>>> What am I doing wrong?
>>>>>
>>>>>
>>>>>
>>>>> mark
>>>>>
>>>>> _______________________________________________
>>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
>>> unsubscribe
>>>>> send an email to selinux-leave(a)lists.fedoraproject.org Fedora Code
>>> of
>>>>> Conduct: https://getfedora.org/code-of-conduct.html
>>>>> List Guidelines:
>>>>>
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>
>>>>> List Archives:
>>>>>
>>>>>
>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
>>> c
>>>>> t.org
>>>> _______________________________________________
>>>> selinux mailing list -- selinux(a)lists.fedoraproject.org To
>>> unsubscribe send
>>>> an email to selinux-leave(a)lists.fedoraproject.org Fedora Code of
>>> Conduct:
>>>
>>>> https://getfedora.org/code-of-conduct.html
>>>> List Guidelines:
>>>>
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>
>>>> List Archives:
>>>>
>>>>
>>> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje
>>> ct
>>>> .org
>>>>
>>>>
>>>>
>>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>
>
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
1:18 p.m.
Stephen Smalley wrote:
On 5/8/19 1:05 PM, mark wrote:
> Thomas wrote:
>
>> Imho: longest path match wins.
>>
>> can you show your fcontext rules regarding that directory?
>>
>> tip: with `matchpathcon /path/...` you can try any path what context
>> it would get (existing or not (yet) existing paths) without changing
>> anything on the fs.
>>
> Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now,
> that might be right... but the idiots of CA, who only know Windows, do
> not have a ./lib, and all the .so's are in the bin directory... Am I
> going to have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file
contexts entries should take precedence over system-provided ones anyway
IIRC. What does setfiles -d
/etc/selinux/targeted/contexts/files/file_contexts
/<path>/smwa/webagent/bin/foo.so report? Note by the way that your
regex only matches things that end in .so, so /path/smwa/webagent/bin
itself wouldn't match. Also note that you should escape the dot (\.so) if
you want it literally and not the regex match-any character.
Ok, I just looked, and it looks like the last semanage command,
semanage fcontext -a -t lib_t "/<path>/smwa/webagent/bin/*.so"
followed by the restorecon worked.
My original attempt was trying to use the example in the manpage, and that
didn't work when I only wanted to change the context of the .so's.
It would be good to see another example in the manpage for
semanage-fcontext that shows how to do what I wanted - not change
everything in a directory, but just a subset.
Thanks to all.
mark
1808
days inactive
1808
days old
selinux@lists.fedoraproject.org
7 comments
3 participants
participants (3)
-
mark -
Stephen Smalley -
Thomas