chcon: can't apply partial context to unlabeled file '/usr/sbin/xrdp'

linux centos selinux

189

Solution 1

I'm also on CentOS 7, and this works for me:

chcon -h system_u:object_r:bin_t:s0 /usr/sbin/xrdp
chcon -h system_u:object_r:bin_t:s0 /usr/sbin/xrdp-sesman

Solution 2

Your command has to give more information. It has been discussed before (but I see no duplicates).

For example,

in chcon: can't apply partial context to unlabeled file while installing nagios with SELinux, Sergei Lomakov pointed out that it was first necessary to label the files using semanage.
in Linux chcon: can't apply partial context to unlabeled file, the suggested solution uses the complete type in the chcon command (but you would have to first determine the type using ls -Z). The complete type would usually have a colon (:) in the name, because it represents a hierarchy.

For example, ls -lZ gives these tags for a sample listing:

$ ls -lZ msginit msgmerge msgunfmt
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msginit
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msgmerge
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msgunfmt

and chcon is expecting something like unconfined_u:object_r:bin_t:s0 in its argument. A bin_t is only partial information.

The referenced procedure should have worked, and the use of chcon redundant. Checking my CentOS7, I happen to have xrdp installed, and a listing shows

$ ls -lZ xrdp xrdp-chansrv xrdp-sesman xrdp-sessvc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-chansrv
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-sesman
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-sessvc

The system_u field is the SELinux user, the object_r field is the role, bin_t is the type and s0 is the (default) level. The files in /usr/sbin get their context from a pattern shown by semanage fcontext -l (but there are a lot of matches). In following the guide, you may have removed the pattern for the xrdp — or even for /usr/sbin. However, you can be more explicit in the command, by specifying the user and role using chcon:

chcon -u system_u -r object_r --type=bin_t /usr/sbin/xrdp
chcon -u system_u -r object_r --type=bin_t /usr/sbin/xrdp-sesman

Alternatively, if the patterns are intact but (for instance) you had moved the files rather than installing them, you could repair things using

restorecon -v /usr/sbin/xrdp
restorecon -v /usr/sbin/xrdp-sesman

Solution 3

It might help someone, so here is my simple 2 cents. If you somehow disabled selinux, you might face this issue. to resolve this, just change the selinux back to normal. open /etc/selinux/config and change

SELINUX=disabled

back to

SELINUX=enforcing

189

Franklin.s.dev

Updated on September 18, 2022

Comments

Franklin.s.dev almost 2 years
I have been installed sass on my Debian wheezy laptop, but when I want to run the sass compiler the console display the following error:
```
$ sass --watch develop.scss:style.css
>>> Sass is watching for changes. Press Ctrl-C to stop.
NoMethodError: undefined method `join' for nil:NilClass
  Use --trace for backtrace.
```
- sass -v givs "Sass 3.4.6 (Selective Steve)".
- I'm trying to hack the Gemfile but not found this file.
- The gems for the compass, listen and ruby and ruby1.9.1-dev have been installed too.
TheOnlyOne about 8 years

I still don't get it , Can you tell me what command would be the fix for it then ? as I'm not really familiar with linux Neither SELinux :(
Adelin over 6 years

While Thomas gave a pretty comprehensive answer, the solution is not that straightforward. I had to do a lot of try and error till I reached these two commands, which are actually working
ramires.cabral about 4 years

That worked for me too in a CentOs box.