semanage not changing file context

On my centos 7 machine, I have the following information:

[wmsodbc]> pwd
/WMSData1/tomcat/latest
[wmsodbc]> ls -lrt /WMSData1/tomcat/latest
lrwxrwxrwx. 1 tomcat tomcat 37 May  2 19:26 /WMSData1/tomcat/latest -> /WMSData1/tomcat/apache-tomcat-8.5.37
[wmsodbc]> ls -ltd logs
drwxr-xr-x. 2 tomcat tomcat 4096 May 10 13:05 logs
[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:default_t:s0   logs
[wmsodbc]> 

I have tried many times to set the file context to var_log_t, but it does not take. See attempts below. All steps taken from various websites online. First of all, attempt 1:

[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:default_t:s0   logs
[wmsodbc]> more /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/WMSData1/tomcat/latest/logs(/.*)?    system_u:object_r:var_log_t:s0
[wmsodbc]> sudo restorecon -vR logs/
[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:default_t:s0   logs
[wmsodbc]> 

And attempt 2, using a slightly different method:

[wmsodbc]> more /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:default_t:s0   logs
[wmsodbc]> sudo chcon system_u:object_r:var_log_t:s0 /WMSData1/tomcat/latest/logs/
[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:var_log_t:s0   logs
[wmsodbc]> more /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

[wmsodbc]> sudo semanage fcontext -a -t var_log_t '/WMSData1/tomcat/latest/logs(/.*)?'
[wmsodbc]> ls -lZd logs
drwxr-xr-x. tomcat tomcat system_u:object_r:var_log_t:s0   logs
[wmsodbc]> sudo restorecon -v -R logs/
restorecon reset /WMSData1/tomcat/apache-tomcat-8.5.37/logs context system_u:object_r:var_log_t:s0->system_u:object_r:default_t:s0
[wmsodbc]> 

So what am I doing wrong? Obviously, chcon is temporary. But it works, unlike semanage, in changing file context. And then we clearly see restorecon changing it back to "default_t". So a second question would be why is it changing it back to "default_t"?

Could it be the fact that "latest" is a softlink and semanage does not like softlink in the full path? I think I MIGHT have gotten it to work by going directly to directory "latest" points to and using THAT absolute path, but waiting to see if it fixes my issues. If someone could point me to proof that this is the issue, that would be great.

Solution 1:

Could it be the fact that "latest" is a softlink and semanage does not like softlink in the full path?

Yes, thats exactly why.

From man 3 matchpathcon

NAME
       matchpathcon, matchpathcon_index - get the default SELinux security context for the specified path from the file contexts configuration
...
DESCRIPTION
...
       matchpathcon() matches the specified pathname, after transformation via realpath(3)...

Just to clarify, realpath(3) expands all symbolic links in the path to attempt to define the absolute canonical path to the file.

You could probably specify the PCRE as /WMSData1/tomcat/[^/]+/logs(/.*)? instead to avoid the problem in a manner that means you dont have to continually add new file contexts.

Solution 2:

Path mismatch? Symlink?

/WMSData1/tomcat/latest/logs

vs.

/WMSData1/tomcat/apache-tomcat-8.5.37/logs

This:

/WMSData1/tomcat/latest/logs(/.*)?

is a regular expression, that does not match the apache-tomcat-8.5.37 path.

For more details on regex see: https://regex101.com/