Seek for help
su heng
ste.suheng at gmail.com
Wed Oct 20 15:53:58 UTC 2010
Hi Daniel,
Thanks a lot. Your solution has fixed the issue about delete type of
my file or directory.
And thank you for suggesting read man selinux of httpd and samaba.
Thanks & Best Regards,
Su Heng
On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/20/2010 07:48 AM, su heng wrote:
> >
> > Hi Daniel,
> >
> > Thanks for your reply. Please see my remarks,Thanks.
> >
> > On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote:
> > On 10/19/2010 09:33 AM, su heng wrote:
> >>>> Hi,
> >>>>
> >>>> I have two problem want to fix.
> >>>>
> >>>> Firstly,
> >>>>
> >>>> [root at localhost tmp]# mkdir test
> >>>> [root at localhost tmp]# ls -dZ test
> >>>> drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test
> >>>> [root at localhost tmp]# semanage fcontext -a -t samba_share_t
> >>>> "/tmp/test(/.*)?"
> >>>> [root at localhost tmp]# restorecon -R -v /tmp/test/
> >>>> restorecon reset /tmp/test context
> >>>> unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0
> >>>> [root at localhost tmp]# ls -dZ test
> >>>> drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
> >>>> ------------------------------------------------------------------
> >>>> When I tried to delete the type, an error happened.
> >>>> [root at localhost tmp]# semanage fcontext -d /tmp/test/
> >>>> Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock':
> >>>> Permission denied
> >>>> Traceback (most recent call last):
> >>>> File "/usr/sbin/semanage", line 501, in <module>
> >>>> process_args(sys.argv[1:])
> >>>> File "/usr/sbin/semanage", line 437, in process_args
> >>>> OBJECT.delete(target, ftype)
> >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in
> >>>> delete
> >>>> self.__delete( target, ftype)
> >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in
> >>>> __delete
> >>>> if target in self.equiv.keys():
> >>>> AttributeError: fcontextRecords instance has no attribute 'equiv'
> >>>>
> >>>>
> > This looks like a bug in semanage
> >> [Su Heng:] Which bug describe it and could u give me a URL as a
> >> reference?
> >
> I was suggesting that you report one. This seems to work in F13 and beyond.
>
> > rpm -q policycoreutils
> >> [Su Heng:] What is this line used for? I get a result under my shell:
> >> [root at localhost suheng]# rpm -q policycoreutils
> >> policycoreutils-2.0.74-4.fc12.i686
> >
> Please attempt to yum -y update policycoreutils
>
> To get newer version of policycoreutils.
>
>
> >
> > This line
> > # semanage fcontext -d /tmp/test/
> >
> > should be
> > # semanage fcontext -d "/tmp/test(/.*)?"
> >> [Su Heng:] Yes, thanks, the same error still.
> >> And I want know the solution for this issue. Could u give me some more
> >> details to fix it?
> >
> > But it looks like you will still have the bug.
> >
> >>>> And I have searched from Google, there is a bug has been reported. So I
> >>>> update it to the latest selinux-policy. The error still. How should I
> >>>> do?
> >>>>
> >>>> Secondly,
> >>>> I have read the document which resided on fedora site. I have a
> >>>> question.
> >>>> We can change the type or the domain of a file or process which can let
> >>>> us pass through the check of se-linux.
> >>>> And we also can write a policy file to pass through se-linux.
> >>>>
> >>>> These two methods are the same destination? If so, which one is
> >>>> better when we try to use and why?
> >>>> If not, Please give me some suggestion about the difference and when we
> >>>> should to use for them?
> >>>>
> >
> > Not sure I understand the question. I would say you want to change the
> > domain of the process or the context of the file to match the truth.
> > For example, if you have a file that needs to be shared by samba then it
> > is usually better to change the label to samba_share_t rather then run
> > the samba process as an unconfined process.
> >
> > But it is best for you to describe the exact problem that you are having
> > with SELinux
> >
> >> [Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want
> >> both of samba and httpd can access it. If I change the type of this
> >> directory to "samba_share_t", httpd won't access it. At this time I have
> >> to switch the type of this directory frequently.
> >> As I know, RBAC can let more than one "Subject" to access the same
> >> "Object". So, can a folder or file(Object) can have more than one type?
> >> How selinux implements this? to use policy configure?
> >
> >
> >>>>
> >>>> Thanks & Best Regards,
> >>>> Su Heng
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> selinux mailing list
> >>>> selinux at lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> > Thanks & Best Regards,
> > Su Heng
>
>
> You want to set the context to public_content_t or public_content_rw_t
> if you want one of apache or samba to have write access.
>
> man samba_selinux
> man httpd_selinux
>
> Will excplain this.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph
> EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ
> =BrZW
> -----END PGP SIGNATURE-----
--
QQ : 49757862
MSN: suh.steven at hotmail.com
Mobile: (0512)60780554
More information about the selinux
mailing list