On Wed, Sep 02, 2009 at 11:07:12AM +0800, zheyeung wrote: > hi , every body ,I install selinux-policy-targeted in my F11,and run in enforce mode. > now I want to change selinux context of /tmp/test,but failed.I thought current shell domain was unconfined_t. then I intend to change my shell context to root:sysadm_r: sysadm_t ,but also failed. > my project team plan to develop selinux policy for our system based on selinux-policy.src.rpm. I guess is this package have not been developed? If it has been developed ,why I cannot change to sysadm_r: sysadm_t? > > ---------------------------------------------------------------------------- > > [root@localhost ~]# ls -lZ /tmp/testselinux > root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux This does security context does not makes senseto me . > > [root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux > chcon:failed to change context of '/tmp/testselinux' to 'unconfined_u:object_r:testselinux: s0 : permission denied This also does not make sense. > > ## here mytest_t defined in myapp.pp,which has successfully loaded by "semodule -i myapp.pp" Can you show us the module? > [root@localhost ~]# newrole -r sysadm_r -t sysadm_t > unconfined_u:unconfined_r:unconfined_t: s0 is not valid context > > [root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root > > after reboot, graphic terminal cannot run. audit says that system_u:system_r: xdm_t require "read" permission for system_u:object_r:httpd_sys_content_t. I think this may be related to seuser roots default contexts in /etc/selinux/targeted/contexts/users/root. It seems theres is not default context defined for xdm_t there > [root@localhost ~]# id > context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023 > > [root@localhost ~]# newrole -r sysadm_r -t sysadm_t > failed to exec shell: permission denied > 2009-09-02 > With regard to mapping root to seuser root i am not sure what you are trying to achieve. i think the root seuser is for MLS usage. But in either way i think if you edit the defaults contexts you should be able to make it work As for the labeling issue: the only sensible explanation i can come up with now is that mytest_t may not be defined a files_type. > > > zheyeung > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpZuqujZHBxv.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list