Stephen Smalley wrote:
> On 5/8/19 1:05 PM, mark wrote:
>
>> Thomas wrote:
>>
>>> Imho: longest path match wins.
>>>
>>> can you show your fcontext rules regarding that directory?
>>>
>>> tip: with `matchpathcon /path/...` you can try any path what context
>>> it would get (existing or not (yet) existing paths) without changing
>>> anything on the fs.
>>>
>> Ah, thanks. Did that, and the /<path>/smwa/webagent/bin is bin_t. Now,
>> that might be right... but the idiots of CA, who only know Windows, do
>> not have a ./lib, and all the .so's are in the bin directory... Am I
>> going to have to live with that?
>
> Fully specified pathnames (i.e. no regexes) win. But locally-added file
> contexts entries should take precedence over system-provided ones anyway
> IIRC. What does setfiles -d
> /etc/selinux/targeted/contexts/files/file_contexts
> /<path>/smwa/webagent/bin/foo.so report? Note by the way that your
> regex only matches things that end in .so, so /path/smwa/webagent/bin
> itself wouldn't match. Also note that you should escape the dot (\.so) if
> you want it literally and not the regex match-any character.
>
Ok, I just looked, and it looks like the last semanage command,
semanage fcontext -a -t lib_t "/<path>/smwa/webagent/bin/*.so"
followed by the restorecon worked.
My original attempt was trying to use the example in the manpage, and that
didn't work when I only wanted to change the context of the .so's.
It would be good to see another example in the manpage for
semanage-fcontext that shows how to do what I wanted - not change
everything in a directory, but just a subset.
Thanks to all.
mark
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
