Re: Seek for help

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/20/2010 07:48 AM, su heng wrote: > > Hi Daniel, > > Thanks for your reply. Please see my remarks,Thanks. > > On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote: > On 10/19/2010 09:33 AM, su heng wrote: >>>> Hi, >>>> >>>> I have two problem want to fix. >>>> >>>> Firstly, >>>> >>>> [root@localhost tmp]# mkdir test >>>> [root@localhost tmp]# ls -dZ test >>>> drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test >>>> [root@localhost tmp]# semanage fcontext -a -t samba_share_t >>>> "/tmp/test(/.*)?" >>>> [root@localhost tmp]# restorecon -R -v /tmp/test/ >>>> restorecon reset /tmp/test context >>>> unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 >>>> [root@localhost tmp]# ls -dZ test >>>> drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test >>>> ------------------------------------------------------------------ >>>> When I tried to delete the type, an error happened. >>>> [root@localhost tmp]# semanage fcontext -d /tmp/test/ >>>> Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': >>>> Permission denied >>>> Traceback (most recent call last): >>>> File "/usr/sbin/semanage", line 501, in <module> >>>> process_args(sys.argv[1:]) >>>> File "/usr/sbin/semanage", line 437, in process_args >>>> OBJECT.delete(target, ftype) >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in >>>> delete >>>> self.__delete( target, ftype) >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in >>>> __delete >>>> if target in self.equiv.keys(): >>>> AttributeError: fcontextRecords instance has no attribute 'equiv' >>>> >>>> > This looks like a bug in semanage >> [Su Heng:] Which bug describe it and could u give me a URL as a >> reference? > I was suggesting that you report one. This seems to work in F13 and beyond. > rpm -q policycoreutils >> [Su Heng:] What is this line used for? I get a result under my shell: >> [root@localhost suheng]# rpm -q policycoreutils >> policycoreutils-2.0.74-4.fc12.i686 > Please attempt to yum -y update policycoreutils To get newer version of policycoreutils. > > This line > # semanage fcontext -d /tmp/test/ > > should be > # semanage fcontext -d "/tmp/test(/.*)?" >> [Su Heng:] Yes, thanks, the same error still. >> And I want know the solution for this issue. Could u give me some more >> details to fix it? > > But it looks like you will still have the bug. > >>>> And I have searched from Google, there is a bug has been reported. So I >>>> update it to the latest selinux-policy. The error still. How should I >>>> do? >>>> >>>> Secondly, >>>> I have read the document which resided on fedora site. I have a >>>> question. >>>> We can change the type or the domain of a file or process which can let >>>> us pass through the check of se-linux. >>>> And we also can write a policy file to pass through se-linux. >>>> >>>> These two methods are the same destination? If so, which one is >>>> better when we try to use and why? >>>> If not, Please give me some suggestion about the difference and when we >>>> should to use for them? >>>> > > Not sure I understand the question. I would say you want to change the > domain of the process or the context of the file to match the truth. > For example, if you have a file that needs to be shared by samba then it > is usually better to change the label to samba_share_t rather then run > the samba process as an unconfined process. > > But it is best for you to describe the exact problem that you are having > with SELinux > >> [Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want >> both of samba and httpd can access it. If I change the type of this >> directory to "samba_share_t", httpd won't access it. At this time I have >> to switch the type of this directory frequently. >> As I know, RBAC can let more than one "Subject" to access the same >> "Object". So, can a folder or file(Object) can have more than one type? >> How selinux implements this? to use policy configure? > > >>>> >>>> Thanks & Best Regards, >>>> Su Heng >>>> >>>> >>>> >>>> >>>> -- >>>> selinux mailing list >>>> selinux(a)lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > Thanks & Best Regards, > Su Heng You want to set the context to public_content_t or public_content_rw_t if you want one of apache or samba to have write access. man samba_selinux man httpd_selinux Will excplain this.