Hi Daniel,
Thanks a lot. Your solution has fixed the issue about delete type of
my file or directory.
And thank you for suggesting read man selinux of httpd and samaba.
Thanks & Best Regards,
Su Heng
On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/20/2010 07:48 AM, su heng wrote:
>
> Hi Daniel,
>
> Thanks for your reply. Please see my remarks,Thanks.
>
> On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote:
> On 10/19/2010 09:33 AM, su heng wrote:
>>>> Hi,
>>>>
>>>> I have two problem want to fix.
>>>>
>>>> Firstly,
>>>>
>>>> [root@localhost tmp]# mkdir test
>>>> [root@localhost tmp]# ls -dZ test
>>>> drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test
>>>> [root@localhost tmp]# semanage fcontext -a -t samba_share_t
>>>> "/tmp/test(/.*)?"
>>>> [root@localhost tmp]# restorecon -R -v /tmp/test/
>>>> restorecon reset /tmp/test context
>>>>
unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0
>>>> [root@localhost tmp]# ls -dZ test
>>>> drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
>>>> ------------------------------------------------------------------
>>>> When I tried to delete the type, an error happened.
>>>> [root@localhost tmp]# semanage fcontext -d /tmp/test/
>>>> Can't create lock file
'/var/cache/abrt/pyhook-1287493825-3446.lock':
>>>> Permission denied
>>>> Traceback (most recent call last):
>>>> File "/usr/sbin/semanage", line 501, in <module>
>>>> process_args(sys.argv[1:])
>>>> File "/usr/sbin/semanage", line 437, in process_args
>>>> OBJECT.delete(target, ftype)
>>>> File "/usr/lib/python2.6/site-packages/seobject.py", line
1623, in
>>>> delete
>>>> self.__delete( target, ftype)
>>>> File "/usr/lib/python2.6/site-packages/seobject.py", line
1594, in
>>>> __delete
>>>> if target in self.equiv.keys():
>>>> AttributeError: fcontextRecords instance has no attribute
'equiv'
>>>>
>>>>
> This looks like a bug in semanage
>> [Su Heng:] Which bug describe it and could u give me a URL as a
>> reference?
>
I was suggesting that you report one. This seems to work in F13 and beyond.
> rpm -q policycoreutils
>> [Su Heng:] What is this line used for? I get a result under my shell:
>> [root@localhost suheng]# rpm -q policycoreutils
>> policycoreutils-2.0.74-4.fc12.i686
>
Please attempt to yum -y update policycoreutils
To get newer version of policycoreutils.
>
> This line
> # semanage fcontext -d /tmp/test/
>
> should be
> # semanage fcontext -d "/tmp/test(/.*)?"
>> [Su Heng:] Yes, thanks, the same error still.
>> And I want know the solution for this issue. Could u give me some more
>> details to fix it?
>
> But it looks like you will still have the bug.
>
>>>> And I have searched from Google, there is a bug has been reported. So I
>>>> update it to the latest selinux-policy. The error still. How should I
>>>> do?
>>>>
>>>> Secondly,
>>>> I have read the document which resided on fedora site. I have a
>>>> question.
>>>> We can change the type or the domain of a file or process which can let
>>>> us pass through the check of se-linux.
>>>> And we also can write a policy file to pass through se-linux.
>>>>
>>>> These two methods are the same destination? If so, which one is
>>>> better when we try to use and why?
>>>> If not, Please give me some suggestion about the difference and when we
>>>> should to use for them?
>>>>
>
> Not sure I understand the question. I would say you want to change the
> domain of the process or the context of the file to match the truth.
> For example, if you have a file that needs to be shared by samba then it
> is usually better to change the label to samba_share_t rather then run
> the samba process as an unconfined process.
>
> But it is best for you to describe the exact problem that you are having
> with SELinux
>
>> [Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I
want
>> both of samba and httpd can access it. If I change the type of this
>> directory to "samba_share_t", httpd won't access it. At this time
I have
>> to switch the type of this directory frequently.
>> As I know, RBAC can let more than one "Subject" to access the same
>> "Object". So, can a folder or file(Object) can have more than one
type?
>> How selinux implements this? to use policy configure?
>
>
>>>>
>>>> Thanks & Best Regards,
>>>> Su Heng
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Thanks & Best Regards,
> Su Heng
You want to set the context to public_content_t or public_content_rw_t
if you want one of apache or samba to have write access.
man samba_selinux
man httpd_selinux
Will excplain this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph
EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ
=BrZW
-----END PGP SIGNATURE-----
--
QQ : 49757862
MSN: suh.steven(a)hotmail.com
Mobile: (0512)60780554