LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/ (https://www.linuxquestions.org/questions/linux-server-73/what-do-selinux-cant-apply-partial-context-to-unlabeled-file-usr-local-nagios-sbin-948967/)

parthipan 06-07-2012 02:17 AM
what do selinux can't apply partial context to unlabeled file /usr/local/nagios/sbin/
 
Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:

[root@localhost ~]# chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/

chcon: can't apply partial context to unlabeled file /usr/local/nagios/sbin/

how to solve this problem?

when i provide
Code:
[root@localhost ~]# getenforce
Disabled
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
i tried in many ways
Code:
[root@localhost ~]# cd /usr/local/nagios/sbin
[root@localhost sbin]# ls -Z
-rwxrwxr-x  nagios nagios                                  avail.cgi
-rwxrwxr-x  nagios nagios                                  cmd.cgi
-rwxrwxr-x  nagios nagios                                  config.cgi
-rwxrwxr-x  nagios nagios                                  extinfo.cgi
-rwxrwxr-x  nagios nagios                                  histogram.cgi
-rwxrwxr-x  nagios nagios                                  history.cgi
-rwxrwxr-x  nagios nagios                                  notifications.cgi
-rwxrwxr-x  nagios nagios                                  outages.cgi
-rwxrwxr-x  nagios nagios                                  showlog.cgi
-rwxrwxr-x  nagios nagios                                  status.cgi
-rwxrwxr-x  nagios nagios                                  statusmap.cgi
-rwxrwxr-x  nagios nagios                                  statuswml.cgi
-rwxrwxr-x  nagios nagios                                  statuswrl.cgi
-rwxrwxr-x  nagios nagios                                  summary.cgi
-rwxrwxr-x  nagios nagios                                  tac.cgi
-rwxrwxr-x  nagios nagios                                  trends.cgi
[root@localhost sbin]# chcon -t httpd_sys_script_exec_t *.cgi
chcon: can't apply partial context to unlabeled file avail.cgi
chcon: can't apply partial context to unlabeled file cmd.cgi
chcon: can't apply partial context to unlabeled file config.cgi
chcon: can't apply partial context to unlabeled file extinfo.cgi
chcon: can't apply partial context to unlabeled file histogram.cgi
chcon: can't apply partial context to unlabeled file history.cgi
chcon: can't apply partial context to unlabeled file notifications.cgi
chcon: can't apply partial context to unlabeled file outages.cgi
chcon: can't apply partial context to unlabeled file showlog.cgi
chcon: can't apply partial context to unlabeled file status.cgi
chcon: can't apply partial context to unlabeled file statusmap.cgi
chcon: can't apply partial context to unlabeled file statuswml.cgi
chcon: can't apply partial context to unlabeled file statuswrl.cgi
chcon: can't apply partial context to unlabeled file summary.cgi
chcon: can't apply partial context to unlabeled file tac.cgi
chcon: can't apply partial context to unlabeled file trends.cgi
[root@localhost sbin]# ls -Z
-rwxrwxr-x  nagios nagios                                  avail.cgi
-rwxrwxr-x  nagios nagios                                  cmd.cgi
-rwxrwxr-x  nagios nagios                                  config.cgi
-rwxrwxr-x  nagios nagios                                  extinfo.cgi
-rwxrwxr-x  nagios nagios                                  histogram.cgi
-rwxrwxr-x  nagios nagios                                  history.cgi
-rwxrwxr-x  nagios nagios                                  notifications.cgi
-rwxrwxr-x  nagios nagios                                  outages.cgi
-rwxrwxr-x  nagios nagios                                  showlog.cgi
-rwxrwxr-x  nagios nagios                                  status.cgi
-rwxrwxr-x  nagios nagios                                  statusmap.cgi
-rwxrwxr-x  nagios nagios                                  statuswml.cgi
-rwxrwxr-x  nagios nagios                                  statuswrl.cgi
-rwxrwxr-x  nagios nagios                                  summary.cgi
-rwxrwxr-x  nagios nagios                                  tac.cgi
-rwxrwxr-x  nagios nagios                                  trends.cgi
[root@localhost sbin]#
[root@localhost sbin]#
[root@localhost sbin]#
[root@localhost sbin]# chcon -t httpd_sys_script_exec_t *.cgi
chcon: can't apply partial context to unlabeled file avail.cgi
chcon: can't apply partial context to unlabeled file cmd.cgi
chcon: can't apply partial context to unlabeled file config.cgi
chcon: can't apply partial context to unlabeled file extinfo.cgi
chcon: can't apply partial context to unlabeled file histogram.cgi
chcon: can't apply partial context to unlabeled file history.cgi
chcon: can't apply partial context to unlabeled file notifications.cgi
chcon: can't apply partial context to unlabeled file outages.cgi
chcon: can't apply partial context to unlabeled file showlog.cgi
chcon: can't apply partial context to unlabeled file status.cgi
chcon: can't apply partial context to unlabeled file statusmap.cgi
chcon: can't apply partial context to unlabeled file statuswml.cgi
chcon: can't apply partial context to unlabeled file statuswrl.cgi
chcon: can't apply partial context to unlabeled file summary.cgi
chcon: can't apply partial context to unlabeled file tac.cgi
chcon: can't apply partial context to unlabeled file trends.cgi
[root@localhost sbin]#

kbp 06-07-2012 02:32 AM
Try editing /etc/sysconfig/selinux and changing it to 'permissive', then
Code:
touch /.autorelabel
reboot
Once rebooted you probably want to add the file context using
Code:
semanage fcontext -a -t httpd_sys_content_t /usr/local/nagios/sbin
then
Code:
restorecon -r /usr/local/nagios/sbin

unSpawn 06-07-2012 03:39 AM
A partial context can't be set if a file is unlabeled. So without setting SELinux to permissive, without autorelabeling and without first setting a fcontext, I would first run 'restorecon -FRvvn /usr/local/nagios/sbin/' to make it show what it would set the context to. (It'll probably default to system_u:object_r:usr_t.) If that's the case then you should be able to 'chcon -u system_u -r object_r -t usr_t -R /usr/local/nagios' and 'chcon -u system_u -r object_r -t httpd_sys_script_exec_t /usr/local/nagios/sbin/*.cgi' before storing changes with 'semanage'. Also note that you shouldn't 'semanage fcontext' "httpd_sys_content_t" on /usr/local/nagios/sbin if the directory contains more than only CGI files and to apply to a context to CGI files alone IIRC the right invocation would be
'semanage fcontext -a -f -- -t httpd_sys_content_t /usr/local/nagios/sbin/.*\.cgi'. Running 'semanage fcontext -l |grep 'local/nagios/sbin';' afterwards should show if it stuck.

ericson007 06-07-2012 07:15 AM
You are getting the error probably because you have disabled SElinux. So all labels are removed. This is shown by your ls command as well since there is not a period after the permissions. (e.g. rwxrwxrwx.) Since the files do not have labels, how can you add a label. You will have to enable selinux and then relable all files (auto way is to reboot) note this may take a while. After it is re enabled, you should be able to set the labels again.



Moderator note: merged from OP's duplicate thread.


All times are GMT -5. The time now is 07:09 PM.