Re: file context not being set on el7

[Petr Lautrbach <plautrba@xxxxxxxxxx>]

Ted Toth <txtoth@xxxxxxxxx> writes:

> On Fri, Sep 21, 2018 at 7:21 AM Ted Toth <txtoth@xxxxxxxxx> 
> wrote:
>
> > On Fri, Sep 21, 2018 at 3:58 AM Petr Lautrbach 
> > <plautrba@xxxxxxxxxx>
> > wrote:
> >
> > > Ted Toth <txtoth@xxxxxxxxx> writes:
> > >
> > > > I have something very much like the following in an fc file:
> > > > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste     --
> > > > gen_context(system_u:object_r:jxyz_exec_t,s0)
> > > >
> > > > and I use the same file on el6 and el7. On el6 the file is
> > > > labeled as
> > > > specified in the python2.6 directory. However on el7 where 
> > > > the
> > > > file gets
> > > > installed into python2.7 the file is not labeled correctly. 
> > > > On
> > > > el7
> > > > `semanage fcontext -l | grep xyz` shows the file context
> > > > expected but
> > > > `matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste` 
> > > > does
> > > > not return
> > > > the expected context and `restorecon -RFv
> > > > /usr/lib64/python2.7/site-packages/xyz` has no affect. The 
> > > > type
> > > > xyz_exec_t
> > > > exists on both systems. It's probably something stupid I'm 
> > > > doing
> > > > but I'm
> > > > just not seeing it. Has anyone else experienced similar 
> > > > issues?
> > > >
> > >
> > > There's equivalency rule /usr/lib64 -> /usr/lib on el7:
> > >
> > > # semanage fcontext -a -t tmp_t
> > >   '/usr/lib64/python2\.(6|7)/site-packages/xyz/paste'
> > >
> > > ValueError: File spec
> > > /usr/lib64/python2\.(6|7)/site-packages/xyz/paste conflicts 
> > > with
> > > equivalency rule '/usr/lib64 /usr/lib'; Try adding
> > > '/usr/lib/python2\.(6|7)/site-packages/xyz/paste' instead
> > >
> > >
> > > # semanage fcontext -a -t tmp_t
> > >   '/usr/lib/python2\.(6|7)/site-packages/xyz/paste'
> > >
> > > # matchpathcon /usr/lib64/python2.7/site-packages/xyz/paste
> > > /usr/lib64/python2.7/site-packages/xyz/paste
> > > system_u:object_r:tmp_t:s0
> > >
> > >
> > > Petr
> >
> > Thanks, where is this equivalency rule defined/documented?

You can see them at the end of 'semanage fcontext -l' output:

SELinux Distribution fcontext Equivalence 

/usr/local/lib64 = /usr/lib
/etc/systemd/system = /usr/lib/systemd/system
/run/systemd/system = /usr/lib/systemd/system
/run/systemd/generator = /usr/lib/systemd/system
/var/home = /home
/sbin = /usr/sbin
/var/roothome = /root
/usr/lib64 = /usr/lib
/var/lib/xguest/home = /home
/var/named/chroot/lib64 = /usr/lib
/var/named/chroot/usr/lib64 = /usr/lib
/run = /var/run
/usr/local/lib32 = /usr/lib
/lib64 = /usr/lib
/lib = /usr/lib
/run/lock = /var/lock


> /usr/lib(64)?/python... doesn't work either how can I make it 
> backward
> compatible?

'/usr/lib(64)?/python2\.(6|7)/site-packages/xyz/paste'  works for 
me on
both el6 and el7.

Petr
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.