SELinux issue Full path required for exclude: net:[4026532292]
I am trying to set samba context on directory with following command
and I am not sure what this error is about but I can not set the context on directory.
semanage fcontext -a -t samba_share_t "/common(/.*)?"
error Thrown as follows:
Full path required for exclude: net:[4026532292].
rhel selinux
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
add a comment |
I am trying to set samba context on directory with following command
and I am not sure what this error is about but I can not set the context on directory.
semanage fcontext -a -t samba_share_t "/common(/.*)?"
error Thrown as follows:
Full path required for exclude: net:[4026532292].
rhel selinux
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
add a comment |
I am trying to set samba context on directory with following command
and I am not sure what this error is about but I can not set the context on directory.
semanage fcontext -a -t samba_share_t "/common(/.*)?"
error Thrown as follows:
Full path required for exclude: net:[4026532292].
rhel selinux
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
I am trying to set samba context on directory with following command
and I am not sure what this error is about but I can not set the context on directory.
semanage fcontext -a -t samba_share_t "/common(/.*)?"
error Thrown as follows:
Full path required for exclude: net:[4026532292].
rhel selinux
rhel selinux
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
edited Jul 1 '16 at 14:43
Jeff Schaller
38.9k1053125
38.9k1053125
asked Jul 1 '16 at 14:28
Sagar
168110
asked Jul 1 '16 at 14:28
Sagar
168110
asked Jul 1 '16 at 14:28
Sagar
168110
168110
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The error you see is not caused by applying samba_share_t context on /common directory. You can still try restorecon -R /common, and check selinux context is indeed changed. I believe the error originates from previous configurations.
answered Jul 2 '16 at 18:45
JohnKoch
1616
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
add a comment |
It's been over a year since this was asked, but I didn't find an answer online. Let's fix that for the next person. :)
Those errors occur because something has created network namespaces on your machine. If you look at the output of mount you'll see a proc filesystem type mounted somewhere (probably under /run or /var/run) with that number. However, if you look at /proc/mounts like restorecon (and semanage) does, you'll see the same filesystem with "net:[xxx]" as the mount point. Unfortunately, restorecon / semanage have no idea how to deal with that; they just see a path which doesn't start with a / and emits an error.
Why does it do that? If you check out the restorecon source, you'll see that restorecon automatically adds exclude entries for mountpoints which don't have the seclabel mount option set. Same presumably goes for semanage. The seclabel option should be managed by SELinux, I think. What it does is indicates that the filesystem uses xattrs to store the SELinux attributes. That's why those filesystems are being excluded: it doesn't make sense to try to set the context on files when the filesystem doesn't support SELinux contexts.
Great. How do you fix it? The selinux_restorecon() syscall includes a flag - SELINUX_RESTORECON_IGNORE_MOUNTS - which instructs it to not bother with that check, but there doesn't seem to be a way to tell the restorecon or semanage programs to do the same. So, one option is to write your own restorecon program which makes that syscall with the flag to ignore mount labels. That's a pain. :) An easier option I like is to just use a mount context to hide those mount points you're probably not interested in traversing anyway. Contexts cause the problem, so why not fix it with contexts too?
sudo unshare -m sh
umount $( mount | awk '$3~/netns/{print $3}' )
restorecon -rv /some/file
exit
Use unshare -m to create a new mount namespace and run sh (pick your favorite shell here) in that namespace. Then unmount the offending filesystems. In my case with Docker doing this, the filesystems all include netns (and I have no filesystems with that string), so I just pull the matching mountpoints out and pass those to umount. Someone else might need to find and unmount differently, but the idea is the same. Because unshare -m defaults to a private mount namespace, the unmounting doesn't impact anything else on the system - it basically hides the mounts from this process. At that point, I have a shell where those filesystems are not visible. So, when restorecon inspects /proc/self/mounts (it technically opens /proc/mounts, but for backwards compatibility that's a link to /proc/self/mounts on systems which support mount namespaces) in the namespace it inherits from the shell, it's able to run with no problems.
If you find yourself doing this often, it would probably make sense to put the umount and restorecon into a shell script and just run that with restorecon instead of starting a shell.
answered Dec 18 '17 at 23:16
dannysauer
83748
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f293317%2fselinux-issue-full-path-required-for-exclude-net4026532292%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The error you see is not caused by applying samba_share_t context on /common directory. You can still try restorecon -R /common, and check selinux context is indeed changed. I believe the error originates from previous configurations.
answered Jul 2 '16 at 18:45
JohnKoch
1616
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
add a comment |
The error you see is not caused by applying samba_share_t context on /common directory. You can still try restorecon -R /common, and check selinux context is indeed changed. I believe the error originates from previous configurations.
answered Jul 2 '16 at 18:45
JohnKoch
1616
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
add a comment |
The error you see is not caused by applying samba_share_t context on /common directory. You can still try restorecon -R /common, and check selinux context is indeed changed. I believe the error originates from previous configurations.
answered Jul 2 '16 at 18:45
JohnKoch
1616
The error you see is not caused by applying samba_share_t context on /common directory. You can still try restorecon -R /common, and check selinux context is indeed changed. I believe the error originates from previous configurations.
answered Jul 2 '16 at 18:45
JohnKoch
1616
answered Jul 2 '16 at 18:45
JohnKoch
1616
answered Jul 2 '16 at 18:45
JohnKoch
1616
answered Jul 2 '16 at 18:45
JohnKoch
1616
1616
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
add a comment |
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
Hi, restorecon eventually works but i would like understand why that error is thrown. What could be the possible miss configuration causing those errors.
– Sagar
Jul 10 '16 at 7:45
add a comment |
It's been over a year since this was asked, but I didn't find an answer online. Let's fix that for the next person. :)
Those errors occur because something has created network namespaces on your machine. If you look at the output of mount you'll see a proc filesystem type mounted somewhere (probably under /run or /var/run) with that number. However, if you look at /proc/mounts like restorecon (and semanage) does, you'll see the same filesystem with "net:[xxx]" as the mount point. Unfortunately, restorecon / semanage have no idea how to deal with that; they just see a path which doesn't start with a / and emits an error.
Why does it do that? If you check out the restorecon source, you'll see that restorecon automatically adds exclude entries for mountpoints which don't have the seclabel mount option set. Same presumably goes for semanage. The seclabel option should be managed by SELinux, I think. What it does is indicates that the filesystem uses xattrs to store the SELinux attributes. That's why those filesystems are being excluded: it doesn't make sense to try to set the context on files when the filesystem doesn't support SELinux contexts.
Great. How do you fix it? The selinux_restorecon() syscall includes a flag - SELINUX_RESTORECON_IGNORE_MOUNTS - which instructs it to not bother with that check, but there doesn't seem to be a way to tell the restorecon or semanage programs to do the same. So, one option is to write your own restorecon program which makes that syscall with the flag to ignore mount labels. That's a pain. :) An easier option I like is to just use a mount context to hide those mount points you're probably not interested in traversing anyway. Contexts cause the problem, so why not fix it with contexts too?
sudo unshare -m sh
umount $( mount | awk '$3~/netns/{print $3}' )
restorecon -rv /some/file
exit
Use unshare -m to create a new mount namespace and run sh (pick your favorite shell here) in that namespace. Then unmount the offending filesystems. In my case with Docker doing this, the filesystems all include netns (and I have no filesystems with that string), so I just pull the matching mountpoints out and pass those to umount. Someone else might need to find and unmount differently, but the idea is the same. Because unshare -m defaults to a private mount namespace, the unmounting doesn't impact anything else on the system - it basically hides the mounts from this process. At that point, I have a shell where those filesystems are not visible. So, when restorecon inspects /proc/self/mounts (it technically opens /proc/mounts, but for backwards compatibility that's a link to /proc/self/mounts on systems which support mount namespaces) in the namespace it inherits from the shell, it's able to run with no problems.
If you find yourself doing this often, it would probably make sense to put the umount and restorecon into a shell script and just run that with restorecon instead of starting a shell.
answered Dec 18 '17 at 23:16
dannysauer
83748
add a comment |
It's been over a year since this was asked, but I didn't find an answer online. Let's fix that for the next person. :)
Those errors occur because something has created network namespaces on your machine. If you look at the output of mount you'll see a proc filesystem type mounted somewhere (probably under /run or /var/run) with that number. However, if you look at /proc/mounts like restorecon (and semanage) does, you'll see the same filesystem with "net:[xxx]" as the mount point. Unfortunately, restorecon / semanage have no idea how to deal with that; they just see a path which doesn't start with a / and emits an error.
Why does it do that? If you check out the restorecon source, you'll see that restorecon automatically adds exclude entries for mountpoints which don't have the seclabel mount option set. Same presumably goes for semanage. The seclabel option should be managed by SELinux, I think. What it does is indicates that the filesystem uses xattrs to store the SELinux attributes. That's why those filesystems are being excluded: it doesn't make sense to try to set the context on files when the filesystem doesn't support SELinux contexts.
Great. How do you fix it? The selinux_restorecon() syscall includes a flag - SELINUX_RESTORECON_IGNORE_MOUNTS - which instructs it to not bother with that check, but there doesn't seem to be a way to tell the restorecon or semanage programs to do the same. So, one option is to write your own restorecon program which makes that syscall with the flag to ignore mount labels. That's a pain. :) An easier option I like is to just use a mount context to hide those mount points you're probably not interested in traversing anyway. Contexts cause the problem, so why not fix it with contexts too?
sudo unshare -m sh
umount $( mount | awk '$3~/netns/{print $3}' )
restorecon -rv /some/file
exit
Use unshare -m to create a new mount namespace and run sh (pick your favorite shell here) in that namespace. Then unmount the offending filesystems. In my case with Docker doing this, the filesystems all include netns (and I have no filesystems with that string), so I just pull the matching mountpoints out and pass those to umount. Someone else might need to find and unmount differently, but the idea is the same. Because unshare -m defaults to a private mount namespace, the unmounting doesn't impact anything else on the system - it basically hides the mounts from this process. At that point, I have a shell where those filesystems are not visible. So, when restorecon inspects /proc/self/mounts (it technically opens /proc/mounts, but for backwards compatibility that's a link to /proc/self/mounts on systems which support mount namespaces) in the namespace it inherits from the shell, it's able to run with no problems.
If you find yourself doing this often, it would probably make sense to put the umount and restorecon into a shell script and just run that with restorecon instead of starting a shell.
answered Dec 18 '17 at 23:16
dannysauer
83748
add a comment |
It's been over a year since this was asked, but I didn't find an answer online. Let's fix that for the next person. :)
Those errors occur because something has created network namespaces on your machine. If you look at the output of mount you'll see a proc filesystem type mounted somewhere (probably under /run or /var/run) with that number. However, if you look at /proc/mounts like restorecon (and semanage) does, you'll see the same filesystem with "net:[xxx]" as the mount point. Unfortunately, restorecon / semanage have no idea how to deal with that; they just see a path which doesn't start with a / and emits an error.
Why does it do that? If you check out the restorecon source, you'll see that restorecon automatically adds exclude entries for mountpoints which don't have the seclabel mount option set. Same presumably goes for semanage. The seclabel option should be managed by SELinux, I think. What it does is indicates that the filesystem uses xattrs to store the SELinux attributes. That's why those filesystems are being excluded: it doesn't make sense to try to set the context on files when the filesystem doesn't support SELinux contexts.
Great. How do you fix it? The selinux_restorecon() syscall includes a flag - SELINUX_RESTORECON_IGNORE_MOUNTS - which instructs it to not bother with that check, but there doesn't seem to be a way to tell the restorecon or semanage programs to do the same. So, one option is to write your own restorecon program which makes that syscall with the flag to ignore mount labels. That's a pain. :) An easier option I like is to just use a mount context to hide those mount points you're probably not interested in traversing anyway. Contexts cause the problem, so why not fix it with contexts too?
sudo unshare -m sh
umount $( mount | awk '$3~/netns/{print $3}' )
restorecon -rv /some/file
exit
Use unshare -m to create a new mount namespace and run sh (pick your favorite shell here) in that namespace. Then unmount the offending filesystems. In my case with Docker doing this, the filesystems all include netns (and I have no filesystems with that string), so I just pull the matching mountpoints out and pass those to umount. Someone else might need to find and unmount differently, but the idea is the same. Because unshare -m defaults to a private mount namespace, the unmounting doesn't impact anything else on the system - it basically hides the mounts from this process. At that point, I have a shell where those filesystems are not visible. So, when restorecon inspects /proc/self/mounts (it technically opens /proc/mounts, but for backwards compatibility that's a link to /proc/self/mounts on systems which support mount namespaces) in the namespace it inherits from the shell, it's able to run with no problems.
If you find yourself doing this often, it would probably make sense to put the umount and restorecon into a shell script and just run that with restorecon instead of starting a shell.
answered Dec 18 '17 at 23:16
dannysauer
83748
It's been over a year since this was asked, but I didn't find an answer online. Let's fix that for the next person. :)
Those errors occur because something has created network namespaces on your machine. If you look at the output of mount you'll see a proc filesystem type mounted somewhere (probably under /run or /var/run) with that number. However, if you look at /proc/mounts like restorecon (and semanage) does, you'll see the same filesystem with "net:[xxx]" as the mount point. Unfortunately, restorecon / semanage have no idea how to deal with that; they just see a path which doesn't start with a / and emits an error.
Why does it do that? If you check out the restorecon source, you'll see that restorecon automatically adds exclude entries for mountpoints which don't have the seclabel mount option set. Same presumably goes for semanage. The seclabel option should be managed by SELinux, I think. What it does is indicates that the filesystem uses xattrs to store the SELinux attributes. That's why those filesystems are being excluded: it doesn't make sense to try to set the context on files when the filesystem doesn't support SELinux contexts.
Great. How do you fix it? The selinux_restorecon() syscall includes a flag - SELINUX_RESTORECON_IGNORE_MOUNTS - which instructs it to not bother with that check, but there doesn't seem to be a way to tell the restorecon or semanage programs to do the same. So, one option is to write your own restorecon program which makes that syscall with the flag to ignore mount labels. That's a pain. :) An easier option I like is to just use a mount context to hide those mount points you're probably not interested in traversing anyway. Contexts cause the problem, so why not fix it with contexts too?
sudo unshare -m sh
umount $( mount | awk '$3~/netns/{print $3}' )
restorecon -rv /some/file
exit
Use unshare -m to create a new mount namespace and run sh (pick your favorite shell here) in that namespace. Then unmount the offending filesystems. In my case with Docker doing this, the filesystems all include netns (and I have no filesystems with that string), so I just pull the matching mountpoints out and pass those to umount. Someone else might need to find and unmount differently, but the idea is the same. Because unshare -m defaults to a private mount namespace, the unmounting doesn't impact anything else on the system - it basically hides the mounts from this process. At that point, I have a shell where those filesystems are not visible. So, when restorecon inspects /proc/self/mounts (it technically opens /proc/mounts, but for backwards compatibility that's a link to /proc/self/mounts on systems which support mount namespaces) in the namespace it inherits from the shell, it's able to run with no problems.
If you find yourself doing this often, it would probably make sense to put the umount and restorecon into a shell script and just run that with restorecon instead of starting a shell.
answered Dec 18 '17 at 23:16
dannysauer
83748
edited Dec 22 '17 at 4:29
answered Dec 18 '17 at 23:16
dannysauer
83748
answered Dec 18 '17 at 23:16
dannysauer
83748
answered Dec 18 '17 at 23:16
dannysauer
83748
83748
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f293317%2fselinux-issue-full-path-required-for-exclude-net4026532292%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
