* file context not being set on el7
@ 2018-09-20 21:35 Ted Toth
2018-09-21 8:58 ` Petr Lautrbach
0 siblings, 1 reply; 5+ messages in thread
From: Ted Toth @ 2018-09-20 21:35 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 780 bytes --]
I have something very much like the following in an fc file:
/usr/lib64/python2\.(6|7)/site-packages/xyz/paste --
gen_context(system_u:object_r:jxyz_exec_t,s0)
and I use the same file on el6 and el7. On el6 the file is labeled as
specified in the python2.6 directory. However on el7 where the file gets
installed into python2.7 the file is not labeled correctly. On el7
`semanage fcontext -l | grep xyz` shows the file context expected but
`matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` does not return
the expected context and `restorecon -RFv
/usr/lib64/python2.7/site-packages/xyz` has no affect. The type xyz_exec_t
exists on both systems. It's probably something stupid I'm doing but I'm
just not seeing it. Has anyone else experienced similar issues?
Ted
[-- Attachment #2: Type: text/html, Size: 930 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: file context not being set on el7
2018-09-20 21:35 file context not being set on el7 Ted Toth
@ 2018-09-21 8:58 ` Petr Lautrbach
2018-09-21 12:21 ` Ted Toth
0 siblings, 1 reply; 5+ messages in thread
From: Petr Lautrbach @ 2018-09-21 8:58 UTC (permalink / raw)
To: Ted Toth; +Cc: SELinux
Ted Toth <txtoth@gmail.com> writes:
> I have something very much like the following in an fc file:
> /usr/lib64/python2\.(6|7)/site-packages/xyz/paste --
> gen_context(system_u:object_r:jxyz_exec_t,s0)
>
> and I use the same file on el6 and el7. On el6 the file is
> labeled as
> specified in the python2.6 directory. However on el7 where the
> file gets
> installed into python2.7 the file is not labeled correctly. On
> el7
> `semanage fcontext -l | grep xyz` shows the file context
> expected but
> `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` does
> not return
> the expected context and `restorecon -RFv
> /usr/lib64/python2.7/site-packages/xyz` has no affect. The type
> xyz_exec_t
> exists on both systems. It's probably something stupid I'm doing
> but I'm
> just not seeing it. Has anyone else experienced similar issues?
>
There's equivalency rule /usr/lib64 -> /usr/lib on el7:
# semanage fcontext -a -t tmp_t
'/usr/lib64/python2\.(6|7)/site-packages/xyz/paste'
ValueError: File spec
/usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts with
equivalency rule '/usr/lib64 /usr/lib'; Try adding
'/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead
# semanage fcontext -a -t tmp_t
'/usr/lib/python2\.(6|7)/site-packages/xyz/paste'
# matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste
/usr/lib64/python2.7/site-packages/xyz/paste
system_u:object_r:tmp_t:s0
Petr
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: file context not being set on el7
2018-09-21 8:58 ` Petr Lautrbach
@ 2018-09-21 12:21 ` Ted Toth
2018-09-21 13:19 ` Ted Toth
0 siblings, 1 reply; 5+ messages in thread
From: Ted Toth @ 2018-09-21 12:21 UTC (permalink / raw)
To: pla >> Petr Lautrbach; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 1640 bytes --]
On Fri, Sep 21, 2018 at 3:58 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Ted Toth <txtoth@gmail.com> writes:
>
> > I have something very much like the following in an fc file:
> > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste --
> > gen_context(system_u:object_r:jxyz_exec_t,s0)
> >
> > and I use the same file on el6 and el7. On el6 the file is
> > labeled as
> > specified in the python2.6 directory. However on el7 where the
> > file gets
> > installed into python2.7 the file is not labeled correctly. On
> > el7
> > `semanage fcontext -l | grep xyz` shows the file context
> > expected but
> > `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` does
> > not return
> > the expected context and `restorecon -RFv
> > /usr/lib64/python2.7/site-packages/xyz` has no affect. The type
> > xyz_exec_t
> > exists on both systems. It's probably something stupid I'm doing
> > but I'm
> > just not seeing it. Has anyone else experienced similar issues?
> >
>
> There's equivalency rule /usr/lib64 -> /usr/lib on el7:
>
> # semanage fcontext -a -t tmp_t
> '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste'
>
> ValueError: File spec
> /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts with
> equivalency rule '/usr/lib64 /usr/lib'; Try adding
> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead
>
>
> # semanage fcontext -a -t tmp_t
> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste'
>
> # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste
> /usr/lib64/python2.7/site-packages/xyz/paste
> system_u:object_r:tmp_t:s0
>
>
> Petr
>
Thanks, where is this equivalency rule defined/documented?
[-- Attachment #2: Type: text/html, Size: 2276 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: file context not being set on el7
2018-09-21 12:21 ` Ted Toth
@ 2018-09-21 13:19 ` Ted Toth
2018-09-24 18:54 ` Petr Lautrbach
0 siblings, 1 reply; 5+ messages in thread
From: Ted Toth @ 2018-09-21 13:19 UTC (permalink / raw)
To: pla >> Petr Lautrbach; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 1850 bytes --]
On Fri, Sep 21, 2018 at 7:21 AM Ted Toth <txtoth@gmail.com> wrote:
>
> On Fri, Sep 21, 2018 at 3:58 AM Petr Lautrbach <plautrba@redhat.com>
> wrote:
>
>>
>> Ted Toth <txtoth@gmail.com> writes:
>>
>> > I have something very much like the following in an fc file:
>> > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste --
>> > gen_context(system_u:object_r:jxyz_exec_t,s0)
>> >
>> > and I use the same file on el6 and el7. On el6 the file is
>> > labeled as
>> > specified in the python2.6 directory. However on el7 where the
>> > file gets
>> > installed into python2.7 the file is not labeled correctly. On
>> > el7
>> > `semanage fcontext -l | grep xyz` shows the file context
>> > expected but
>> > `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` does
>> > not return
>> > the expected context and `restorecon -RFv
>> > /usr/lib64/python2.7/site-packages/xyz` has no affect. The type
>> > xyz_exec_t
>> > exists on both systems. It's probably something stupid I'm doing
>> > but I'm
>> > just not seeing it. Has anyone else experienced similar issues?
>> >
>>
>> There's equivalency rule /usr/lib64 -> /usr/lib on el7:
>>
>> # semanage fcontext -a -t tmp_t
>> '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste'
>>
>> ValueError: File spec
>> /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts with
>> equivalency rule '/usr/lib64 /usr/lib'; Try adding
>> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead
>>
>>
>> # semanage fcontext -a -t tmp_t
>> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste'
>>
>> # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste
>> /usr/lib64/python2.7/site-packages/xyz/paste
>> system_u:object_r:tmp_t:s0
>>
>>
>> Petr
>>
>
> Thanks, where is this equivalency rule defined/documented?
>
/usr/lib(64)?/python... doesn't work either how can I make it backward
compatible?
[-- Attachment #2: Type: text/html, Size: 2742 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: file context not being set on el7
2018-09-21 13:19 ` Ted Toth
@ 2018-09-24 18:54 ` Petr Lautrbach
0 siblings, 0 replies; 5+ messages in thread
From: Petr Lautrbach @ 2018-09-24 18:54 UTC (permalink / raw)
To: Ted Toth; +Cc: pla >> Petr Lautrbach, SELinux
Ted Toth <txtoth@gmail.com> writes:
> On Fri, Sep 21, 2018 at 7:21 AM Ted Toth <txtoth@gmail.com>
> wrote:
>
>>
>> On Fri, Sep 21, 2018 at 3:58 AM Petr Lautrbach
>> <plautrba@redhat.com>
>> wrote:
>>
>>>
>>> Ted Toth <txtoth@gmail.com> writes:
>>>
>>> > I have something very much like the following in an fc file:
>>> > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste --
>>> > gen_context(system_u:object_r:jxyz_exec_t,s0)
>>> >
>>> > and I use the same file on el6 and el7. On el6 the file is
>>> > labeled as
>>> > specified in the python2.6 directory. However on el7 where
>>> > the
>>> > file gets
>>> > installed into python2.7 the file is not labeled correctly.
>>> > On
>>> > el7
>>> > `semanage fcontext -l | grep xyz` shows the file context
>>> > expected but
>>> > `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste`
>>> > does
>>> > not return
>>> > the expected context and `restorecon -RFv
>>> > /usr/lib64/python2.7/site-packages/xyz` has no affect. The
>>> > type
>>> > xyz_exec_t
>>> > exists on both systems. It's probably something stupid I'm
>>> > doing
>>> > but I'm
>>> > just not seeing it. Has anyone else experienced similar
>>> > issues?
>>> >
>>>
>>> There's equivalency rule /usr/lib64 -> /usr/lib on el7:
>>>
>>> # semanage fcontext -a -t tmp_t
>>> '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste'
>>>
>>> ValueError: File spec
>>> /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts
>>> with
>>> equivalency rule '/usr/lib64 /usr/lib'; Try adding
>>> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead
>>>
>>>
>>> # semanage fcontext -a -t tmp_t
>>> '/usr/lib/python2\.(6|7)/site-packages/xyz/paste'
>>>
>>> # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste
>>> /usr/lib64/python2.7/site-packages/xyz/paste
>>> system_u:object_r:tmp_t:s0
>>>
>>>
>>> Petr
>>>
>>
>> Thanks, where is this equivalency rule defined/documented?
>>
You can see them at the end of 'semanage fcontext -l' output:
SELinux Distribution fcontext Equivalence
/usr/local/lib64 = /usr/lib
/etc/systemd/system = /usr/lib/systemd/system
/run/systemd/system = /usr/lib/systemd/system
/run/systemd/generator = /usr/lib/systemd/system
/var/home = /home
/sbin = /usr/sbin
/var/roothome = /root
/usr/lib64 = /usr/lib
/var/lib/xguest/home = /home
/var/named/chroot/lib64 = /usr/lib
/var/named/chroot/usr/lib64 = /usr/lib
/run = /var/run
/usr/local/lib32 = /usr/lib
/lib64 = /usr/lib
/lib = /usr/lib
/run/lock = /var/lock
>
> /usr/lib(64)?/python... doesn't work either how can I make it
> backward
> compatible?
'/usr/lib(64)?/python2\.(6|7)/site-packages/xyz/paste' works for
me on
both el6 and el7.
Petr
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-09-24 18:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-20 21:35 file context not being set on el7 Ted Toth
2018-09-21 8:58 ` Petr Lautrbach
2018-09-21 12:21 ` Ted Toth
2018-09-21 13:19 ` Ted Toth
2018-09-24 18:54 ` Petr Lautrbach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).