Re: I cannot change my shell context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 02, 2009 at 11:07:12AM +0800, zheyeung wrote:
> hi , every body ,I install selinux-policy-targeted in my F11,and run in enforce mode.
> now I want to change selinux context of /tmp/test,but  failed.I thought current shell domain was unconfined_t. then I intend to change my shell context to root:sysadm_r: sysadm_t ,but also failed. 
> my project team plan to develop selinux policy for our system based on selinux-policy.src.rpm. I guess is  this package have not been developed? If it has been developed ,why I cannot change to sysadm_r: sysadm_t? 
> 
> ----------------------------------------------------------------------------
> 
> [root@localhost ~]# ls -lZ /tmp/testselinux
> root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux
This does security context does not makes senseto me .


> 
> [root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux
> chcon:failed to change context of '/tmp/testselinux' to 'unconfined_u:object_r:testselinux: s0 : permission denied
This also does not make sense. 

> 
> ## here mytest_t defined in myapp.pp,which has successfully loaded by "semodule -i myapp.pp"

Can you show us the module?

> [root@localhost ~]# newrole -r sysadm_r -t sysadm_t
> unconfined_u:unconfined_r:unconfined_t: s0 is not valid context
> 
> [root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root
> 
> after reboot, graphic terminal cannot run. audit says that system_u:system_r: xdm_t require "read" permission for system_u:object_r:httpd_sys_content_t.

I think this may be related to seuser roots default contexts in /etc/selinux/targeted/contexts/users/root. It seems theres is not default context defined for xdm_t there

> [root@localhost ~]# id
> context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023
> 
> [root@localhost ~]#  newrole -r sysadm_r -t sysadm_t
> failed to exec shell: permission denied
> 2009-09-02 
> 

With regard to mapping root to seuser root i am not sure what you are trying to achieve. i think the root seuser is for MLS usage. But in either way i think if you edit the defaults contexts you should be able to make it work

As for the labeling issue: the only sensible explanation i can come up with now is that
mytest_t may not be defined a files_type.
> 

> 
> zheyeung 

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpZuqujZHBxv.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux