Warren Young wrote:> On May 8, 2019, at 9:31 AM, mark <m.roth at 5-cent.us> wrote: > >> semanage -fcontext -a -t lib_t "/<elided>/smwa/webagent/bin(/.*).so? > > [snip] > >> What am I doing wrong? >><snip>> Also, I?m confused by the parens in your file path. Whether your shell > is or not is a different question.I'm following the manpage, semanage-fcontext, example as much as possible. EXAMPLE remember to run restorecon after you set the file context Add file-context for everything under /web # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" # restorecon -R -v /web If semanage worked "normally", I'd have been able to do semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so" Hmmm, didn't complain when I did that... but they're still bin_t, not lib_t. On the selinux list, I was asked for the context of the directory, which is bin_t, which might be correct... if the idiots of CA had a ./lib directory, which they do not. Windows turkeys.... mark mark
On May 8, 2019, at 11:04 AM, mark <m.roth at 5-cent.us> wrote:> > semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so?Glob expansion doesn?t happen in double quotes. Not in Bash, anyway.
Warren Young wrote:> On May 8, 2019, at 11:04 AM, mark <m.roth at 5-cent.us> wrote: > >> >> semanage fcontext -m -t lib_t "/path/smwa/webagent/bin/*.so? > > Glob expansion doesn?t happen in double quotes. Not in Bash, anyway.Huh? I thought it didn't occur in single quotes, but did occur in quotes. Odd, I'm seeing it doesn't, at least in a basic test. On the other hand, from the example in the man page, semanage insists on having the filespec in quotes. mark
Jonathan Billings
2019-May-08 20:47 UTC
[CentOS] Issues trying to change the selinux context
On Wed, May 08, 2019 at 01:04:02PM -0400, mark wrote:> Hmmm, didn't complain when I did that... but they're still bin_t, not lib_t.'semanage fcontext ...' updates the policy, but doesn't actually change the context on the paths (which may or may not even exist at the time the command runs). Run 'restorecon -r -v /your/path/with/actual/files' to reassign the selinux attributes to reflect the new fcontext policy. -- Jonathan Billings <billings at negate.org>