We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to set the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
there is no - for the fcontext action.
semanage fcontext ...
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to set the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it *seemed* to work. But now, I've got a different issue: I did a restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to set the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error: argument subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey', 'ibendport', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec t.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject .org
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get (existing or not (yet) existing paths) without changing anything on the fs.
Am 8. Mai 2019 17:37:52 MESZ schrieb mark m.roth@5-cent.us:
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it *seemed* to work. But now, I've got a different issue: I did a restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to
set
the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error:
argument
subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey',
'ibendport',
'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe
send an email to selinux-leave@lists.fedoraproject.org Fedora Code
of
Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraprojec
t.org
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe send
an email to selinux-leave@lists.fedoraproject.org Fedora Code of
Conduct:
https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject
.org
Thomas wrote:
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get (existing or not (yet) existing paths) without changing anything on the fs.
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now, that might be right... but the idiots of CA, who only know Windows, do not have a ./lib, and all the .so's are in the bin directory... Am I going to have to live with that?
mark
Am 8. Mai 2019 17:37:52 MESZ schrieb mark m.roth@5-cent.us:
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it *seemed* to work. But now, I've got a different issue: I did a restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to
set
the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error:
argument
subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey',
'ibendport',
'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe
send an email to selinux-leave@lists.fedoraproject.org Fedora Code
of
Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje c
t.org
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe send
an email to selinux-leave@lists.fedoraproject.org Fedora Code of
Conduct:
https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje ct
.org
On 5/8/19 1:05 PM, mark wrote:
Thomas wrote:
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get (existing or not (yet) existing paths) without changing anything on the fs.
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now, that might be right... but the idiots of CA, who only know Windows, do not have a ./lib, and all the .so's are in the bin directory... Am I going to have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file contexts entries should take precedence over system-provided ones anyway IIRC. What does setfiles -d /etc/selinux/targeted/contexts/files/file_contexts /<path>/smwa/webagent/bin/foo.so report? Note by the way that your regex only matches things that end in .so, so /path/smwa/webagent/bin itself wouldn't match. Also note that you should escape the dot (.so) if you want it literally and not the regex match-any character.
mark
Am 8. Mai 2019 17:37:52 MESZ schrieb mark m.roth@5-cent.us:
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it *seemed* to work. But now, I've got a different issue: I did a restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to
set
the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error:
argument
subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey',
'ibendport',
'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe
send an email to selinux-leave@lists.fedoraproject.org Fedora Code
of
Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje c
t.org
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe send
an email to selinux-leave@lists.fedoraproject.org Fedora Code of
Conduct:
https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje ct
.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 5/8/19 1:52 PM, Stephen Smalley wrote:
On 5/8/19 1:05 PM, mark wrote:
Thomas wrote:
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get (existing or not (yet) existing paths) without changing anything on the fs.
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now, that might be right... but the idiots of CA, who only know Windows, do not have a ./lib, and all the .so's are in the bin directory... Am I going to have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file contexts entries should take precedence over system-provided ones anyway IIRC. What does setfiles -d /etc/selinux/targeted/contexts/files/file_contexts /<path>/smwa/webagent/bin/foo.so report? Note by the way that your regex only matches things that end in .so, so /path/smwa/webagent/bin itself wouldn't match. Also note that you should escape the dot (.so) if you want it literally and not the regex match-any character.
What is in that <path> prefix might make a difference. Anyway, the following contrived example seemed to work correctly (on Fedora): # mkdir -p /opt/foo/bin # touch /opt/foo/bin/libc.so # restorecon -rv /opt/foo Relabeled /opt/foo/bin from unconfined_u:object_r:usr_t:s0 to unconfined_u:object_r:bin_t:s0 Relabeled /opt/foo/bin/libc.so from unconfined_u:object_r:usr_t:s0 to unconfined_u:object_r:bin_t:s0 # semanage fcontext -a -t lib_t "/opt/foo/bin/.*.so(.[0-9]+)*" # touch /opt/foo/bin/libc.so.9 # touch /opt/foo/bin/libc.so.1.0.3 # restorecon -Rv /opt/foo Relabeled /opt/foo/bin/libc.so.9 from unconfined_u:object_r:bin_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /opt/foo/bin/libc.so.1.0.3 from unconfined_u:object_r:bin_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /opt/foo/bin/libc.so from unconfined_u:object_r:bin_t:s0 to unconfined_u:object_r:lib_t:s0
mark
Am 8. Mai 2019 17:37:52 MESZ schrieb mark m.roth@5-cent.us:
Thomas wrote:
there is no - for the fcontext action.
semanage fcontext ...
Duh... Yeah, a few minutes after I posted, I realized that, and it *seemed* to work. But now, I've got a different issue: I did a restorecon -rv /*/smwa/webagent/bin... and now all the .so's are bin_t, instead of lib_t
thomas
Am 8. Mai 2019 17:31:13 MESZ schrieb mark m.roth@5-cent.us:
We're forced to use Siteminder, by CA, who have no clue what they're doing in *nix. No packages, tarballs...
Anyway, I'm trying clean up some stuff, and in /*/smwa/webagent/bin (all their binaries, including .so's, are in there, duh... I'm trying to
set
the .so's to lib_t. semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so"
gives me the completely unexpected response of semanage: error:
argument
subcommand: invalid choice: 'lib_t' (choose from 'import', 'export', 'login', 'user', 'port', 'ibpkey',
'ibendport',
'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit')
What am I doing wrong?
mark
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe
send an email to selinux-leave@lists.fedoraproject.org Fedora Code
of
Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje c
t.org
selinux mailing list -- selinux@lists.fedoraproject.org To
unsubscribe send
an email to selinux-leave@lists.fedoraproject.org Fedora Code of
Conduct:
https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproje ct
.org
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Stephen Smalley wrote:
On 5/8/19 1:05 PM, mark wrote:
Thomas wrote:
Imho: longest path match wins.
can you show your fcontext rules regarding that directory?
tip: with `matchpathcon /path/...` you can try any path what context it would get (existing or not (yet) existing paths) without changing anything on the fs.
Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now, that might be right... but the idiots of CA, who only know Windows, do not have a ./lib, and all the .so's are in the bin directory... Am I going to have to live with that?
Fully specified pathnames (i.e. no regexes) win. But locally-added file contexts entries should take precedence over system-provided ones anyway IIRC. What does setfiles -d /etc/selinux/targeted/contexts/files/file_contexts /<path>/smwa/webagent/bin/foo.so report? Note by the way that your regex only matches things that end in .so, so /path/smwa/webagent/bin itself wouldn't match. Also note that you should escape the dot (.so) if you want it literally and not the regex match-any character.
Ok, I just looked, and it looks like the last semanage command, semanage fcontext -a -t lib_t "/<path>/smwa/webagent/bin/*.so" followed by the restorecon worked.
My original attempt was trying to use the example in the manpage, and that didn't work when I only wanted to change the context of the .so's.
It would be good to see another example in the manpage for semanage-fcontext that shows how to do what I wanted - not change everything in a directory, but just a subset.
Thanks to all.
mark
selinux@lists.fedoraproject.org