Hi Daniel,
Thanks for your reply. Please see my remarks,Thanks.
On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
[Su Heng:] Which bug describe it and could u give me a URL as a reference?
rpm -q policycoreutils
[Su Heng:] What is this line used for? I get a result under my shell: [root@localhost suheng]# rpm -q policycoreutils policycoreutils-2.0.74-4.fc12.i686
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
[Su Heng:] Yes, thanks, the same error still. And I want know the solution for this issue. Could u give me some more details to fix it?
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
[Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want both of samba and httpd can access it. If I change the type of this directory to "samba_share_t", httpd won't access it. At this time I have to switch the type of this directory frequently. As I know, RBAC can let more than one "Subject" to access the same "Object". So, can a folder or file(Object) can have more than one type? How selinux implements this? to use policy configure?
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8XhQACgkQrlYvE4MpobNZnACg2t5t/FhYW/Uu0qj2nSaabi2t p+4Ani7GbglSmdwsdBvwz2hrGVMRvrGW =25Nd -----END PGP SIGNATURE-----
Thanks & Best Regards, Su Heng