Re: Seek for help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Daniel,

   Thanks a lot. Your solution has fixed the issue about delete type of
my file or directory.
   And thank you for suggesting read man selinux of httpd and samaba.

Thanks & Best Regards,
Su Heng

On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/20/2010 07:48 AM, su heng wrote:
> > 
> > Hi Daniel,
> > 
> > 	Thanks for your reply. Please see my remarks,Thanks.
> > 
> > On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote:
> > On 10/19/2010 09:33 AM, su heng wrote:
> >>>> Hi,
> >>>>
> >>>> I have two problem want to fix.
> >>>>
> >>>> Firstly,
> >>>>
> >>>> [root@localhost tmp]# mkdir test
> >>>> [root@localhost tmp]# ls -dZ test
> >>>> drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test
> >>>> [root@localhost tmp]# semanage fcontext -a -t samba_share_t
> >>>> "/tmp/test(/.*)?"
> >>>> [root@localhost tmp]# restorecon -R -v /tmp/test/
> >>>> restorecon reset /tmp/test context
> >>>> unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0
> >>>> [root@localhost tmp]# ls -dZ test
> >>>> drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
> >>>> ------------------------------------------------------------------
> >>>> When I tried to delete the type, an error happened. 
> >>>> [root@localhost tmp]# semanage fcontext -d /tmp/test/
> >>>> Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock':
> >>>> Permission denied
> >>>> Traceback (most recent call last):
> >>>>   File "/usr/sbin/semanage", line 501, in <module>
> >>>>     process_args(sys.argv[1:])
> >>>>   File "/usr/sbin/semanage", line 437, in process_args
> >>>>     OBJECT.delete(target, ftype)
> >>>>   File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in
> >>>> delete
> >>>>     self.__delete( target, ftype)
> >>>>   File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in
> >>>> __delete
> >>>>     if target in self.equiv.keys():
> >>>> AttributeError: fcontextRecords instance has no attribute 'equiv'
> >>>>
> >>>>
> > This looks like a bug in semanage
> >> [Su Heng:] Which bug describe it and could u give me a URL as a
> >> reference?
> >
> I was suggesting that you report one.  This seems to work in F13 and beyond.
> 
> > rpm -q policycoreutils
> >> [Su Heng:] What is this line used for? I get a result under my shell:
> >> [root@localhost suheng]# rpm -q policycoreutils
> >> policycoreutils-2.0.74-4.fc12.i686
> > 
> Please attempt to yum -y update policycoreutils
> 
> To get newer version of policycoreutils.
> 
> 
> > 
> > This line
> > # semanage fcontext -d /tmp/test/
> > 
> > should be
> > # semanage fcontext -d "/tmp/test(/.*)?"
> >> [Su Heng:] Yes, thanks, the same error still.
> >> And I want know the solution for this issue. Could u give me some more
> >> details to fix it?
> > 
> > But it looks like you will still have the bug.
> > 
> >>>> And I have searched from Google, there is a bug has been reported. So I
> >>>> update it to the latest selinux-policy. The error still. How should I
> >>>> do?
> >>>>
> >>>> Secondly,
> >>>>    I have read the document which resided on fedora site. I have a
> >>>> question. 
> >>>> We can change the type or the domain of a file or process which can let
> >>>> us pass through the check of se-linux. 
> >>>> And we also can write a policy file to pass through se-linux.
> >>>>
> >>>>    These two methods are the same destination? If so, which one is
> >>>> better when we try to use and why? 
> >>>> If not, Please give me some suggestion about the difference and when we
> >>>> should to use for them?
> >>>>    
> > 
> > Not sure I understand the question.  I would say you want to change the
> > domain of the process or the context of the file to match the truth.
> > For example, if you have a file that needs to be shared by samba then it
> > is usually better to change the label to samba_share_t rather then run
> > the samba process as an unconfined process.
> > 
> > But it is best for you to describe the exact problem that you are having
> > with SELinux
> > 
> >> [Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want
> >> both of samba and httpd can access it. If I change the type of this
> >> directory to "samba_share_t", httpd won't access it. At this time I have
> >> to switch the type of this directory frequently. 
> >>   As I know, RBAC can let more than one "Subject" to access the same
> >> "Object". So, can a folder or file(Object) can have more than one type?
> >> How selinux implements this? to use policy configure?
> > 
> > 
> >>>>
> >>>> Thanks & Best Regards,
> >>>> Su Heng
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> selinux mailing list
> >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> > Thanks & Best Regards,
> > Su Heng
> 
> 
> You want to set the context to public_content_t or public_content_rw_t
> if you want one of apache or samba to have write access.
> 
> man samba_selinux
> man httpd_selinux
> 
> Will excplain this.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph
> EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ
> =BrZW
> -----END PGP SIGNATURE-----


-- 
QQ :    49757862
MSN:    suh.steven@xxxxxxxxxxx
Mobile: (0512)60780554


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux