chcon: can't apply partial context to unlabeled file '/usr/sbin/xrdp'

Question

Whenever I'm trying to execute this line to configure SELinux to install xrdp from this tutorial:

# chcon --type=bin_t /usr/sbin/xrdp
# chcon --type=bin_t /usr/sbin/xrdp-sesman

I get these errors:

chcon: can't apply partial context to unlabeled file '/usr/sbin/xrdp'
chcon: can't apply partial context to unlabeled file '/usr/sbin/xrdp-sesman'

I'm on CentOS 7.2 64 bit.

Answer 1

I'm also on CentOS 7, and this works for me:

chcon -h system_u:object_r:bin_t:s0 /usr/sbin/xrdp
chcon -h system_u:object_r:bin_t:s0 /usr/sbin/xrdp-sesman

Answer 2

Your command has to give more information. It has been discussed before (but I see no duplicates).

For example,

• in chcon: can't apply partial context to unlabeled file while installing nagios with SELinux, Sergei Lomakov pointed out that it was first necessary to label the files using semanage.
• in Linux chcon: can't apply partial context to unlabeled file, the suggested solution uses the complete type in the chcon command (but you would have to first determine the type using ls -Z). The complete type would usually have a colon (:) in the name, because it represents a hierarchy.

For example, ls -lZ gives these tags for a sample listing:

$ ls -lZ msginit msgmerge msgunfmt
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msginit
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msgmerge
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   msgunfmt

and chcon is expecting something like unconfined_u:object_r:bin_t:s0 in its argument. A bin_t is only partial information.

The referenced procedure should have worked, and the use of chcon redundant. Checking my CentOS7, I happen to have xrdp installed, and a listing shows

$ ls -lZ xrdp xrdp-chansrv xrdp-sesman xrdp-sessvc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-chansrv
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-sesman
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       xrdp-sessvc

The system_u field is the SELinux user, the object_r field is the role, bin_t is the type and s0 is the (default) level. The files in /usr/sbin get their context from a pattern shown by semanage fcontext -l (but there are a lot of matches). In following the guide, you may have removed the pattern for the xrdp — or even for /usr/sbin. However, you can be more explicit in the command, by specifying the user and role using chcon:

chcon -u system_u -r object_r --type=bin_t /usr/sbin/xrdp
chcon -u system_u -r object_r --type=bin_t /usr/sbin/xrdp-sesman

Alternatively, if the patterns are intact but (for instance) you had moved the files rather than installing them, you could repair things using

restorecon -v /usr/sbin/xrdp
restorecon -v /usr/sbin/xrdp-sesman

Further reading:

• 5.6. SELinux Contexts – Labeling Files
• 5.6.2. Persistent Changes: semanage fcontext
• restorecon - restore file(s) default SELinux security contexts.
• chcon - change file SELinux security context

Answer 3

It might help someone, so here is my simple 2 cents. If you somehow disabled selinux, you might face this issue. to resolve this, just change the selinux back to normal. open /etc/selinux/config and change

SELINUX=disabled

back to

SELINUX=enforcing