Hi Daniel,
Thanks a lot. Your solution has fixed the issue about delete type of my file or directory. And thank you for suggesting read man selinux of httpd and samaba.
Thanks & Best Regards, Su Heng
On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/20/2010 07:48 AM, su heng wrote:
Hi Daniel,
Thanks for your reply. Please see my remarks,Thanks.
On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote: On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
[Su Heng:] Which bug describe it and could u give me a URL as a reference?
I was suggesting that you report one. This seems to work in F13 and beyond.
rpm -q policycoreutils
[Su Heng:] What is this line used for? I get a result under my shell: [root@localhost suheng]# rpm -q policycoreutils policycoreutils-2.0.74-4.fc12.i686
Please attempt to yum -y update policycoreutils
To get newer version of policycoreutils.
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
[Su Heng:] Yes, thanks, the same error still. And I want know the solution for this issue. Could u give me some more details to fix it?
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
[Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want both of samba and httpd can access it. If I change the type of this directory to "samba_share_t", httpd won't access it. At this time I have to switch the type of this directory frequently. As I know, RBAC can let more than one "Subject" to access the same "Object". So, can a folder or file(Object) can have more than one type? How selinux implements this? to use policy configure?
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks & Best Regards, Su Heng
You want to set the context to public_content_t or public_content_rw_t if you want one of apache or samba to have write access.
man samba_selinux man httpd_selinux
Will excplain this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ =BrZW -----END PGP SIGNATURE-----