Hi Daniel, Thanks a lot. Your solution has fixed the issue about delete type of my file or directory. And thank you for suggesting read man selinux of httpd and samaba. Thanks & Best Regards, Su Heng On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/20/2010 07:48 AM, su heng wrote: > > > > Hi Daniel, > > > > Thanks for your reply. Please see my remarks,Thanks. > > > > On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote: > > On 10/19/2010 09:33 AM, su heng wrote: > >>>> Hi, > >>>> > >>>> I have two problem want to fix. > >>>> > >>>> Firstly, > >>>> > >>>> [root@localhost tmp]# mkdir test > >>>> [root@localhost tmp]# ls -dZ test > >>>> drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test > >>>> [root@localhost tmp]# semanage fcontext -a -t samba_share_t > >>>> "/tmp/test(/.*)?" > >>>> [root@localhost tmp]# restorecon -R -v /tmp/test/ > >>>> restorecon reset /tmp/test context > >>>> unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 > >>>> [root@localhost tmp]# ls -dZ test > >>>> drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test > >>>> ------------------------------------------------------------------ > >>>> When I tried to delete the type, an error happened. > >>>> [root@localhost tmp]# semanage fcontext -d /tmp/test/ > >>>> Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': > >>>> Permission denied > >>>> Traceback (most recent call last): > >>>> File "/usr/sbin/semanage", line 501, in <module> > >>>> process_args(sys.argv[1:]) > >>>> File "/usr/sbin/semanage", line 437, in process_args > >>>> OBJECT.delete(target, ftype) > >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in > >>>> delete > >>>> self.__delete( target, ftype) > >>>> File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in > >>>> __delete > >>>> if target in self.equiv.keys(): > >>>> AttributeError: fcontextRecords instance has no attribute 'equiv' > >>>> > >>>> > > This looks like a bug in semanage > >> [Su Heng:] Which bug describe it and could u give me a URL as a > >> reference? > > > I was suggesting that you report one. This seems to work in F13 and beyond. > > > rpm -q policycoreutils > >> [Su Heng:] What is this line used for? I get a result under my shell: > >> [root@localhost suheng]# rpm -q policycoreutils > >> policycoreutils-2.0.74-4.fc12.i686 > > > Please attempt to yum -y update policycoreutils > > To get newer version of policycoreutils. > > > > > > This line > > # semanage fcontext -d /tmp/test/ > > > > should be > > # semanage fcontext -d "/tmp/test(/.*)?" > >> [Su Heng:] Yes, thanks, the same error still. > >> And I want know the solution for this issue. Could u give me some more > >> details to fix it? > > > > But it looks like you will still have the bug. > > > >>>> And I have searched from Google, there is a bug has been reported. So I > >>>> update it to the latest selinux-policy. The error still. How should I > >>>> do? > >>>> > >>>> Secondly, > >>>> I have read the document which resided on fedora site. I have a > >>>> question. > >>>> We can change the type or the domain of a file or process which can let > >>>> us pass through the check of se-linux. > >>>> And we also can write a policy file to pass through se-linux. > >>>> > >>>> These two methods are the same destination? If so, which one is > >>>> better when we try to use and why? > >>>> If not, Please give me some suggestion about the difference and when we > >>>> should to use for them? > >>>> > > > > Not sure I understand the question. I would say you want to change the > > domain of the process or the context of the file to match the truth. > > For example, if you have a file that needs to be shared by samba then it > > is usually better to change the label to samba_share_t rather then run > > the samba process as an unconfined process. > > > > But it is best for you to describe the exact problem that you are having > > with SELinux > > > >> [Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want > >> both of samba and httpd can access it. If I change the type of this > >> directory to "samba_share_t", httpd won't access it. At this time I have > >> to switch the type of this directory frequently. > >> As I know, RBAC can let more than one "Subject" to access the same > >> "Object". So, can a folder or file(Object) can have more than one type? > >> How selinux implements this? to use policy configure? > > > > > >>>> > >>>> Thanks & Best Regards, > >>>> Su Heng > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> selinux mailing list > >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > Thanks & Best Regards, > > Su Heng > > > You want to set the context to public_content_t or public_content_rw_t > if you want one of apache or samba to have write access. > > man samba_selinux > man httpd_selinux > > Will excplain this. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph > EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ > =BrZW > -----END PGP SIGNATURE----- -- QQ : 49757862 MSN: suh.steven@xxxxxxxxxxx Mobile: (0512)60780554 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
