跳至主要内容

chcon can not apply partial context to unlabeld file excerpt: fix broken selinux label

The broken selinux label and way to fix

Yesterday I work on a task of compress a qcow2 vm image. As usual I made a temp directory in the directory of the image, and fired the qemu-img convert and then virt-sparsify command to do the compression.

Soon, after some seconds, an unusual error occurred. My task received a mysterious signal 9 and exited.

As I am the only user of the machine at the time. A blind guess and some ls -lhz commands lead me to the broken selinux label problem.

It turns out that directory up to the second level of the directory are all unlabeled.

My first attempt with chcon -R -t virt_image_t <workdir> failed with some error messages looks like bellow: 

chcon: can't apply partial context to unlabeled file 'VERSION.png'
chcon: can't apply partial context to unlabeled file '1.1_V12'
chcon: can't apply partial context to unlabeled file 'pre-release'
chcon: can't apply partial context to unlabeled file 'hotfix_20200106_rollback'
chcon: can't apply partial context to unlabeled file 'statusmachine.properties'

solution from stackoverflow

To initialize selinux label on unlabeled files:

  1. run chcon -R -h <initial_selinux_label> <workdir>
  2. optionally run chcon -R -t <single_selinux_label> <workdir> if desired, label not in <initialselinuxlabel>
chcon -R -h system_u:object_r:home_root_t:s0 images/
chcon -R -t virt_image_t images/

 

标签:

评论

发表评论

此博客中的热门博文

Eglot and before/after-save-hook and use-package

In Emacs, when you try to automate some actions during every save action, you will surely get to the before-save-hook and the after-save-hook. Simply adding something like gofmt-before-save to before-save-hook will save you tons of time to do the go-fmt. And then, I meet eglot, and gopls will also save me tons of time doing googling and api documentation navigation. But eglot-ensure is not very friendly to the good old ways of how after-save-hooks were designed to work. It makes the before/after-save-hook a buffer local variable and it does not inherit the variable's global value. So, to make before/after-save-hook work again, experts start to adding hooks to major mode specific hooks like this: emacs.md - Go (opensource.google) """ ;; Optional: install eglot-format-buffer as a save hook. ;; The depth of -10 places this before eglot's willSave notification, ;; so that that notification reports the actual contents that will be saved. (defu...
发表评论
阅读全文

Use MobaDiff with git difftool

Recently there's an activity in IT that forces the deletion of all unauthorized softwares from all work machines. Unfortunately, kdiff3 is one in the list. As it is generally okay to use vimdiff as an alternative for kdiff3, A gui tool is better suited for desktop workflows. Known that MobaXterm is shipping a gui diff tool named MobaDiff. But it only appears in the windows right click context menu. Find the real application name takes me some time to search in the windows registry. "MobaRTE.exe", which is the one invoked by HKCR\*\shell\MobaDiff. And it was invoked with "-contextdiff" switch to show MobaDiff UI, while when the switch is "-contextedit" it shows MobaTextEditor. Too bad that the "-contextdiff" switch do not support pre-image post-image as other diff tool did, which effectively made it unable to be used as a command line diff utility. Also MobaTech did not mention anything in their document of this Mob...
发表评论
阅读全文