* [PATCH] semanage man pages: Add examples for -r RANGE flag usage
@ 2025-09-11 18:48 Pranav Lawate
2025-09-29 8:56 ` Pranav Lawate
0 siblings, 1 reply; 2+ messages in thread
From: Pranav Lawate @ 2025-09-11 18:48 UTC (permalink / raw)
To: selinux; +Cc: Pranav Lawate, Vit Mojzis
Hello,
This patch adds missing examples to the semanage-port and
semanage-fcontext man pages showing the correct usage of the -r RANGE
flag for MLS/MCS systems. Currently, users who try to use the -r flag
without proper examples often encounter unclear error messages when
they provide invalid range formats.
For example, Here is a command with wrong range string value:
~~~
# semanage fcontext -a -t admin_home_t -r s0.c0 /root/test
libsepol.mls_from_string: invalid MLS context s0.c0 (No such file or directory).
libsepol.mls_from_string: could not construct mls context structure
(No such file or directory).
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsemanage.validate_handler: invalid context
system_u:object_r:admin_home_t:s0.c0 specified for /root/test [all
files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records
(Invalid argument).
OSError: Invalid argument
~~~
Similarly for port
~~~
# semanage port -a -t http_port_t -p tcp -r s0.c0 8888
libsepol.mls_from_string: invalid MLS context s0.c0 (No such file or directory).
libsepol.mls_from_string: could not construct mls context structure
(No such file or directory).
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsepol.port_from_record: could not create port structure for range
8888:8888 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 8888 - 8888
(tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value
(Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy (Invalid argument).
OSError: Invalid argument
~~~
My main motive is to come up with a logic to handle this error better
but before undertaking that big of a change I wanted to push a small
improvement to the code and so I have added correct example strings of
MLS range into man pages for semanage-fcontext and semanage-port which
I have tested to work properly on my RHEL 9.5 VM.
This is my first contribution to the SELinux project.
The added examples demonstrate:
- Correct MLS range format: s0:c0.c255
- Complete command syntax with the -r flag for both port and
fcontext operations
- Clear indication that this is for MLS/MCS systems only
- Practical use cases (HTTPS port and secure directory)
This should help users avoid common mistakes with range formatting
and reduce support requests related to unclear error messages.
Signed-off-by: Pranav Lawate <pran.lawate@gmail.com>
---
python/semanage/semanage-fcontext.8 | 4 ++++
python/semanage/semanage-port.8 | 2 ++
2 files changed, 6 insertions(+)
diff --git a/python/semanage/semanage-fcontext.8
b/python/semanage/semanage-fcontext.8
index 3a96c62f..3e7a1d8b 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -100,6 +100,10 @@ execute the following commands.
# semanage fcontext \-a \-e /home /disk6/home
# restorecon \-R \-v /disk6
+Add file-context with MLS range s0:c0.c255 for /secure directory
(MLS/MCS systems only)
+# semanage fcontext \-a \-t admin_home_t \-r s0:c0.c255 "/secure(/.*)?"
+# restorecon \-R \-v /secure
+
.SH "SEE ALSO"
.BR selinux (8),
.BR semanage (8),
diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8
index c6048660..217fa398 100644
--- a/python/semanage/semanage-port.8
+++ b/python/semanage/semanage-port.8
@@ -61,6 +61,8 @@ Allow Apache to listen on tcp port 81 (i.e. assign
tcp port 81 label http_port_t
# semanage port \-a \-t http_port_t \-p tcp 81
Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991
label ssh_port_t, which sshd is
allowed to listen on)
# semanage port \-a \-t ssh_port_t \-p tcp 8991
+Allow Apache to listen on tcp port 443 with MLS range s0:c0.c255
(MLS/MCS systems only)
+# semanage port \-a \-t http_port_t \-p tcp \-r s0:c0.c255 443
.SH "SEE ALSO"
.BR selinux (8),
--
Looking forward to your positive response.
Regards,
Pranav Lawate
Software Maintenance Engineer, RHCE
Red Hat India Pvt. Ltd.
plawate@redhat.com IRC: Pranav
@RedHat Red Hat Red Hat
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] semanage man pages: Add examples for -r RANGE flag usage
2025-09-11 18:48 [PATCH] semanage man pages: Add examples for -r RANGE flag usage Pranav Lawate
@ 2025-09-29 8:56 ` Pranav Lawate
0 siblings, 0 replies; 2+ messages in thread
From: Pranav Lawate @ 2025-09-29 8:56 UTC (permalink / raw)
To: selinux; +Cc: Pranav Lawate, Vit Mojzis
Hello,
This is a gentle reminder mail to check if there was any progress.
It's been around 17 days now, just wanted to check if someone has time
to consider this patch.
Regards,
Pranav Lawate
Software Maintenance Engineer, RHCE
Red Hat India Pvt. Ltd.
plawate@redhat.com IRC: Pranav
@RedHat Red Hat Red Hat
Pranav Lawate
Software Maintenance Engineer, RHCE
Red Hat India Pvt. Ltd.
plawate@redhat.com IRC: Pranav
@RedHat Red Hat Red Hat
On Fri, Sep 12, 2025 at 12:18 AM Pranav Lawate <plawate@redhat.com> wrote:
>
> Hello,
> This patch adds missing examples to the semanage-port and
> semanage-fcontext man pages showing the correct usage of the -r RANGE
> flag for MLS/MCS systems. Currently, users who try to use the -r flag
> without proper examples often encounter unclear error messages when
> they provide invalid range formats.
>
> For example, Here is a command with wrong range string value:
> ~~~
> # semanage fcontext -a -t admin_home_t -r s0.c0 /root/test
> libsepol.mls_from_string: invalid MLS context s0.c0 (No such file or directory).
> libsepol.mls_from_string: could not construct mls context structure
> (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:admin_home_t:s0.c0 specified for /root/test [all
> files] (Invalid argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> OSError: Invalid argument
> ~~~
> Similarly for port
> ~~~
> # semanage port -a -t http_port_t -p tcp -r s0.c0 8888
> libsepol.mls_from_string: invalid MLS context s0.c0 (No such file or directory).
> libsepol.mls_from_string: could not construct mls context structure
> (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsepol.port_from_record: could not create port structure for range
> 8888:8888 (tcp) (Invalid argument).
> libsepol.sepol_port_modify: could not load port range 8888 - 8888
> (tcp) (Invalid argument).
> libsemanage.dbase_policydb_modify: could not modify record value
> (Invalid argument).
> libsemanage.semanage_base_merge_components: could not merge local
> modifications into policy (Invalid argument).
> OSError: Invalid argument
> ~~~
>
> My main motive is to come up with a logic to handle this error better
> but before undertaking that big of a change I wanted to push a small
> improvement to the code and so I have added correct example strings of
> MLS range into man pages for semanage-fcontext and semanage-port which
> I have tested to work properly on my RHEL 9.5 VM.
>
> This is my first contribution to the SELinux project.
>
> The added examples demonstrate:
> - Correct MLS range format: s0:c0.c255
> - Complete command syntax with the -r flag for both port and
> fcontext operations
> - Clear indication that this is for MLS/MCS systems only
> - Practical use cases (HTTPS port and secure directory)
>
> This should help users avoid common mistakes with range formatting
> and reduce support requests related to unclear error messages.
>
> Signed-off-by: Pranav Lawate <pran.lawate@gmail.com>
> ---
> python/semanage/semanage-fcontext.8 | 4 ++++
> python/semanage/semanage-port.8 | 2 ++
> 2 files changed, 6 insertions(+)
>
> diff --git a/python/semanage/semanage-fcontext.8
> b/python/semanage/semanage-fcontext.8
> index 3a96c62f..3e7a1d8b 100644
> --- a/python/semanage/semanage-fcontext.8
> +++ b/python/semanage/semanage-fcontext.8
> @@ -100,6 +100,10 @@ execute the following commands.
> # semanage fcontext \-a \-e /home /disk6/home
> # restorecon \-R \-v /disk6
>
> +Add file-context with MLS range s0:c0.c255 for /secure directory
> (MLS/MCS systems only)
> +# semanage fcontext \-a \-t admin_home_t \-r s0:c0.c255 "/secure(/.*)?"
> +# restorecon \-R \-v /secure
> +
> .SH "SEE ALSO"
> .BR selinux (8),
> .BR semanage (8),
> diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8
> index c6048660..217fa398 100644
> --- a/python/semanage/semanage-port.8
> +++ b/python/semanage/semanage-port.8
> @@ -61,6 +61,8 @@ Allow Apache to listen on tcp port 81 (i.e. assign
> tcp port 81 label http_port_t
> # semanage port \-a \-t http_port_t \-p tcp 81
> Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991
> label ssh_port_t, which sshd is
> allowed to listen on)
> # semanage port \-a \-t ssh_port_t \-p tcp 8991
> +Allow Apache to listen on tcp port 443 with MLS range s0:c0.c255
> (MLS/MCS systems only)
> +# semanage port \-a \-t http_port_t \-p tcp \-r s0:c0.c255 443
>
> .SH "SEE ALSO"
> .BR selinux (8),
> --
>
> Looking forward to your positive response.
>
> Regards,
> Pranav Lawate
> Software Maintenance Engineer, RHCE
> Red Hat India Pvt. Ltd.
> plawate@redhat.com IRC: Pranav
> @RedHat Red Hat Red Hat
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-29 8:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-11 18:48 [PATCH] semanage man pages: Add examples for -r RANGE flag usage Pranav Lawate
2025-09-29 8:56 ` Pranav Lawate
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).