-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/19/2010 09:33 AM, su heng wrote: > Hi, > > I have two problem want to fix. > > Firstly, > > [root@localhost tmp]# mkdir test > [root@localhost tmp]# ls -dZ test > drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test > [root@localhost tmp]# semanage fcontext -a -t samba_share_t > "/tmp/test(/.*)?" > [root@localhost tmp]# restorecon -R -v /tmp/test/ > restorecon reset /tmp/test context > unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 > [root@localhost tmp]# ls -dZ test > drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test > ------------------------------------------------------------------ > When I tried to delete the type, an error happened. > [root@localhost tmp]# semanage fcontext -d /tmp/test/ > Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': > Permission denied > Traceback (most recent call last): > File "/usr/sbin/semanage", line 501, in <module> > process_args(sys.argv[1:]) > File "/usr/sbin/semanage", line 437, in process_args > OBJECT.delete(target, ftype) > File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in > delete > self.__delete( target, ftype) > File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in > __delete > if target in self.equiv.keys(): > AttributeError: fcontextRecords instance has no attribute 'equiv' > > This looks like a bug in semanage rpm -q policycoreutils This line # semanage fcontext -d /tmp/test/ should be # semanage fcontext -d "/tmp/test(/.*)?" But it looks like you will still have the bug. > And I have searched from Google, there is a bug has been reported. So I > update it to the latest selinux-policy. The error still. How should I > do? > > Secondly, > I have read the document which resided on fedora site. I have a > question. > We can change the type or the domain of a file or process which can let > us pass through the check of se-linux. > And we also can write a policy file to pass through se-linux. > > These two methods are the same destination? If so, which one is > better when we try to use and why? > If not, Please give me some suggestion about the difference and when we > should to use for them? > Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process. But it is best for you to describe the exact problem that you are having with SELinux > > Thanks & Best Regards, > Su Heng > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8XhQACgkQrlYvE4MpobNZnACg2t5t/FhYW/Uu0qj2nSaabi2t p+4Ani7GbglSmdwsdBvwz2hrGVMRvrGW =25Nd -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
