* SELinux file context matching
@ 2016-02-02 17:48 Mark Steele
2016-02-02 18:15 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Mark Steele @ 2016-02-02 17:48 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]
Hi list,
I've got some file contexts setup for an application, and can't get the
file context matching to work as I would expect.
[root@dev1 policy]# cat /etc/selinux/targeted/contexts/files/file_contexts
| grep cinched
/etc/cinched(/.*)? system_u:object_r:ts_etc_t:s0
/var/log/cinched(/.*)? system_u:object_r:ts_log_t:s0
/var/lib/cinched(/.*)? system_u:object_r:ts_t:s0
*/usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
/etc/bash_completion.d/cinched_bash_completions
system_u:object_r:ts_etc_t:s0
/var/log/cinched/audit(/.*)? system_u:object_r:ts_audit_log_t:s0
/usr/sbin/cinched system_u:object_r:ts_exec_t:s0
[root@dev1 policy]# matchpathcon /usr/lib64/cinched/
*/usr/lib64/cinched system_u:object_r:lib_t:s0*
[root@dev1 policy]# findcon
/etc/selinux/targeted/contexts/files/file_contexts -p /usr/lib64/cinched
/.* system_u:object_r:default_t:s0
/usr/.* system_u:object_r:usr_t:s0
*/usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
This is running on CentOS 7. I was assuming that since my rule has the
longest stem, it would be applied.
Any suggestions?
[-- Attachment #2: Type: text/html, Size: 1717 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SELinux file context matching
2016-02-02 17:48 SELinux file context matching Mark Steele
@ 2016-02-02 18:15 ` Stephen Smalley
2016-02-02 18:26 ` Jason Zaman
2016-02-02 18:31 ` Mike Palmiotto
0 siblings, 2 replies; 5+ messages in thread
From: Stephen Smalley @ 2016-02-02 18:15 UTC (permalink / raw)
To: Mark Steele, selinux
On 02/02/2016 12:48 PM, Mark Steele wrote:
> Hi list,
>
> I've got some file contexts setup for an application, and can't get the
> file context matching to work as I would expect.
>
> [root@dev1 policy]# cat
> /etc/selinux/targeted/contexts/files/file_contexts | grep cinched
> /etc/cinched(/.*)? system_u:object_r:ts_etc_t:s0
> /var/log/cinched(/.*)? system_u:object_r:ts_log_t:s0
> /var/lib/cinched(/.*)? system_u:object_r:ts_t:s0
> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
> /etc/bash_completion.d/cinched_bash_completions
> system_u:object_r:ts_etc_t:s0
> /var/log/cinched/audit(/.*)? system_u:object_r:ts_audit_log_t:s0
> /usr/sbin/cinched system_u:object_r:ts_exec_t:s0
>
> [root@dev1 policy]# matchpathcon /usr/lib64/cinched/
> */usr/lib64/cinched system_u:object_r:lib_t:s0*
>
> [root@dev1 policy]# findcon
> /etc/selinux/targeted/contexts/files/file_contexts -p /usr/lib64/cinched
> /.* system_u:object_r:default_t:s0
> /usr/.* system_u:object_r:usr_t:s0
> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
>
>
> This is running on CentOS 7. I was assuming that since my rule has the
> longest stem, it would be applied.
>
> Any suggestions?
It would help to see the complete file_contexts file.
Do you have anything in file_contexts.local that could be overriding it?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SELinux file context matching
2016-02-02 18:15 ` Stephen Smalley
@ 2016-02-02 18:26 ` Jason Zaman
2016-02-02 18:31 ` Mike Palmiotto
1 sibling, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2016-02-02 18:26 UTC (permalink / raw)
To: Mark Steele; +Cc: selinux
On Tue, Feb 02, 2016 at 01:15:51PM -0500, Stephen Smalley wrote:
> On 02/02/2016 12:48 PM, Mark Steele wrote:
> > Hi list,
> >
> > I've got some file contexts setup for an application, and can't get the
> > file context matching to work as I would expect.
> >
> > [root@dev1 policy]# cat
> > /etc/selinux/targeted/contexts/files/file_contexts | grep cinched
> > /etc/cinched(/.*)? system_u:object_r:ts_etc_t:s0
> > /var/log/cinched(/.*)? system_u:object_r:ts_log_t:s0
> > /var/lib/cinched(/.*)? system_u:object_r:ts_t:s0
> > */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
> > /etc/bash_completion.d/cinched_bash_completions
> > system_u:object_r:ts_etc_t:s0
> > /var/log/cinched/audit(/.*)? system_u:object_r:ts_audit_log_t:s0
> > /usr/sbin/cinched system_u:object_r:ts_exec_t:s0
> >
> > [root@dev1 policy]# matchpathcon /usr/lib64/cinched/
> > */usr/lib64/cinched system_u:object_r:lib_t:s0*
> >
> > [root@dev1 policy]# findcon
> > /etc/selinux/targeted/contexts/files/file_contexts -p /usr/lib64/cinched
> > /.* system_u:object_r:default_t:s0
> > /usr/.* system_u:object_r:usr_t:s0
> > */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
> >
> >
> > This is running on CentOS 7. I was assuming that since my rule has the
> > longest stem, it would be applied.
> >
> > Any suggestions?
>
> It would help to see the complete file_contexts file.
> Do you have anything in file_contexts.local that could be overriding it?
Also, file_contexts.subs*. /usr/lib64 and 32 are usually aliased to
/usr/lib so your fcontexts needs to be /usr/lib/cinched(/.*)? instead of
with the 64.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SELinux file context matching
2016-02-02 18:15 ` Stephen Smalley
2016-02-02 18:26 ` Jason Zaman
@ 2016-02-02 18:31 ` Mike Palmiotto
2016-02-02 20:45 ` Mark Steele
1 sibling, 1 reply; 5+ messages in thread
From: Mike Palmiotto @ 2016-02-02 18:31 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Mark Steele, selinux
On Tue, Feb 2, 2016 at 1:15 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 02/02/2016 12:48 PM, Mark Steele wrote:
>>
>> Hi list,
>>
>> I've got some file contexts setup for an application, and can't get the
>> file context matching to work as I would expect.
>>
>> [root@dev1 policy]# cat
>> /etc/selinux/targeted/contexts/files/file_contexts | grep cinched
>> /etc/cinched(/.*)? system_u:object_r:ts_etc_t:s0
>> /var/log/cinched(/.*)? system_u:object_r:ts_log_t:s0
>> /var/lib/cinched(/.*)? system_u:object_r:ts_t:s0
>> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
>> /etc/bash_completion.d/cinched_bash_completions
>> system_u:object_r:ts_etc_t:s0
>> /var/log/cinched/audit(/.*)? system_u:object_r:ts_audit_log_t:s0
>> /usr/sbin/cinched system_u:object_r:ts_exec_t:s0
>>
>> [root@dev1 policy]# matchpathcon /usr/lib64/cinched/
>> */usr/lib64/cinched system_u:object_r:lib_t:s0*
>>
>> [root@dev1 policy]# findcon
>> /etc/selinux/targeted/contexts/files/file_contexts -p /usr/lib64/cinched
>> /.* system_u:object_r:default_t:s0
>> /usr/.* system_u:object_r:usr_t:s0
>> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
>>
>>
>> This is running on CentOS 7. I was assuming that since my rule has the
>> longest stem, it would be applied.
>>
>> Any suggestions?
>
>
> It would help to see the complete file_contexts file.
> Do you have anything in file_contexts.local that could be overriding it?
Also, it looks like file_context.subs_dist has the entry: '/usr/lib64
/usr/lib' on CentOS 7. Perhaps Mark's file entries should instead be
using /usr/lib/cinched?
--Mike
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SELinux file context matching
2016-02-02 18:31 ` Mike Palmiotto
@ 2016-02-02 20:45 ` Mark Steele
0 siblings, 0 replies; 5+ messages in thread
From: Mark Steele @ 2016-02-02 20:45 UTC (permalink / raw)
To: Mike Palmiotto; +Cc: Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 1930 bytes --]
Thanks guys, I forgot to check the _dist file, switching to /usr/lib did
the trick.
Cheers,
Mark
On Tue, Feb 2, 2016 at 1:31 PM, Mike Palmiotto <
mike.palmiotto@crunchydata.com> wrote:
> On Tue, Feb 2, 2016 at 1:15 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On 02/02/2016 12:48 PM, Mark Steele wrote:
> >>
> >> Hi list,
> >>
> >> I've got some file contexts setup for an application, and can't get the
> >> file context matching to work as I would expect.
> >>
> >> [root@dev1 policy]# cat
> >> /etc/selinux/targeted/contexts/files/file_contexts | grep cinched
> >> /etc/cinched(/.*)? system_u:object_r:ts_etc_t:s0
> >> /var/log/cinched(/.*)? system_u:object_r:ts_log_t:s0
> >> /var/lib/cinched(/.*)? system_u:object_r:ts_t:s0
> >> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
> >> /etc/bash_completion.d/cinched_bash_completions
> >> system_u:object_r:ts_etc_t:s0
> >> /var/log/cinched/audit(/.*)? system_u:object_r:ts_audit_log_t:s0
> >> /usr/sbin/cinched system_u:object_r:ts_exec_t:s0
> >>
> >> [root@dev1 policy]# matchpathcon /usr/lib64/cinched/
> >> */usr/lib64/cinched system_u:object_r:lib_t:s0*
> >>
> >> [root@dev1 policy]# findcon
> >> /etc/selinux/targeted/contexts/files/file_contexts -p /usr/lib64/cinched
> >> /.* system_u:object_r:default_t:s0
> >> /usr/.* system_u:object_r:usr_t:s0
> >> */usr/lib64/cinched(/.*)? system_u:object_r:ts_lib_t:s0*
> >>
> >>
> >> This is running on CentOS 7. I was assuming that since my rule has the
> >> longest stem, it would be applied.
> >>
> >> Any suggestions?
> >
> >
> > It would help to see the complete file_contexts file.
> > Do you have anything in file_contexts.local that could be overriding it?
>
> Also, it looks like file_context.subs_dist has the entry: '/usr/lib64
> /usr/lib' on CentOS 7. Perhaps Mark's file entries should instead be
> using /usr/lib/cinched?
>
> --Mike
>
[-- Attachment #2: Type: text/html, Size: 2864 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-02-02 20:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-02 17:48 SELinux file context matching Mark Steele
2016-02-02 18:15 ` Stephen Smalley
2016-02-02 18:26 ` Jason Zaman
2016-02-02 18:31 ` Mike Palmiotto
2016-02-02 20:45 ` Mark Steele
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.