-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
rpm -q policycoreutils
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux