SELinux – Invalid Regex in /etc/selinux/targeted/contexts/files/file_context

EnikSo I have been doing my best to better understand SELinux as of late, and last night when I was practicing I ran into an issue that had me banging my head against by desk.

Specifically I was playing around with the semanage command and working on defining a particular context to a directory that I had just created. However I was not exactly quite sure of the exact regex to use (or even if I needed to use a regex)

The specific command that I ran was…

#semanage fcontext -a -t httpd_sys_content_t /var/www2

Now my concern was that this was not the correct command for me to run since www2 was a directory and I wanted to make sure that appropriate SELinux contexts were applied recursively as new files/directories were created. So I ran the following command that I found in my RHEL book.

#semanage fcontext -a -t httpd_sys_content_t ‘/var/www2/html(*,/)’

which spits out this….

/etc/selinux/targeted/contexts/files/file_contexts.local:  line 13 has invalid regex /var/www2/html(*,/):  Invalid preceding regular expression

Oops, wait I entered the command wrong. Its a period and the end not a comma, so I run the command again with a period this time and get the following error.

# semanage fcontext -a -t httpd_sys_content_t ‘/var/www2/html(*./)’
/etc/selinux/targeted/contexts/files/file_contexts.local:  line 13 has invalid regex /var/www2/html(*,/):  Invalid preceding regular expression
/etc/selinux/targeted/contexts/files/file_contexts.local:  line 14 has invalid regex /var/www2/html(*./):  Invalid preceding regular expression

Well crap, its still not correct. So I enter this command and get another error.

#semanage fcontext -a -t httpd_sys_content_t “/var/www2/html(/.*)?

So at this point I start running all sorts of variations of the command with minor syntax changes each time, each time getting an error and each time getting more and more frustrated thinking that I am still not running the command correctly.

However this is not actually the case.

After I take a step back and cool off I actually take the time to read the error message which is pointing me t the file, file_contexts.local. Which upon further inspection actually contains each and every regex that I just ran regardless of the fact that the regex was correct.

# cat /etc/selinux/targeted/contexts/files/file_contexts.local | grep www2
/var/www2    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/,*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/,*)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html    system_u:object_r:httpd_sys_content_t:s0
/var/www2(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(*,/)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(*./)    system_u:object_r:httpd_sys_content_t:s0
/var/www2/html(/.*)?    system_u:object_r:httpd_sys_content_t:s0

In a nutshell.. the semanage command added each and context to file/directory mapping despite the fact that my regex was not correct, and then it gave me an error. So each time I ran the command with the an invalid regex, another entry was added and the error message grew. One would think that it would detect the regex error first and not add it to the file.

Anwyway the fix was to identify all the bad lines in the file from the error message and run the following command against each entry.

#semanage fcontext -d “/var/www2/html(*,/)?”

Once I cleaned out the file of the offending entries I was able to run the command one last time, this time using the correct syntax and was error free

RHEL6 – SELinux Modes and Contexts

Anime,art,cartoon,chibi,darth,vader,darthvader-26d94e794e11142d417a277b8fbdc0eb_hSELinux, or Security-Enhanced Linux as its known by the guy who invented it, is a Linux feature that provides an additional level of security by setting rules for which processes can access which files, directories, ports, etc.

Display and Modify SELinux Modes:

You can use /etc/sysconfig/selinux to change the default SELinux mode at boot, and the setenforce command can be used to change the default level on the fly. Getenforce can be used to determine the current SELinux mode. 

# getenforce
Enforcing

Display SELinux Contexts:

Under SELinux, every file, process, directory, or port is assigned a special security label called a context.

To view the contexts assigned to a file or directory use the '-Z' option. Coupled with and 'ls" or a 'ps" this is a formidable command.

To view a list of all possible assigned contexts use semanage.

# semanage fcontext -l

Modify SELinux Contexts:

For example, lets create two test files in /tmp called testfile1 and testfile2, and then lets check their contexts.

# ls -lZ test*
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 testfile1
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 testfile2

Now compare this to the default context assigned to apache content

# ls -ldZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

So lets say that I want to move testfile1 to /var/www/html and make it accessable via a webbrowser; in order to do this I must assign the correct context to the file using the restorecon command.

# restorecon -Rv /var/www/html

The command above restores or even better, allows the testfiles to inherit the contexts assigned to the parent directory, which in this case is /var/www/html/

Add SELinux Contexts:

Now lets say that you need to add a directory and apply a context directly to that directory, instead of allowing a context to be inheritted. For example, lets say that I need to setup an apache virtual server under /virtual_server2, so lets first create the directory and a simple index.html

# mkdir /virtual_server2
# vi /virtual_server2/index.html
# ls -Zd /virtual_server2
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual_server2

# ls -Zd /virtual_server2/index.html
-rw-r–r–. root root unconfined_u:object_r:default_t:s0 /virtual_server2/index.html

Now we need to set and apply the correct http content context to /virtual_server2 and its contents (say that 5 times fast)

# semanage fcontext -a -f "" -t httpd_sys_content_t '/virtual_server2(/.*)?'

# restorecon -RFvvv /virtual_server2/

restorecon reset /virtual_server2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /virtual_server2/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Now that our context is correct apache should have no issue serving up our new content (once configured on the apache side)

# ls -Zd /virtual_server2/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /virtual_server2/