Re: [selinux] Re: Conflict between local module and local fcontext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/29/2015 07:39 PM, Robin Lee Powell wrote:
> On Wed, Jul 29, 2015 at 06:45:22AM -0400, Simon Sekidde wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Robin Lee Powell" <rlpowell@xxxxxxxxxxxxxxxxxx>
>>> To: "Lukas Vrabec" <lvrabec@xxxxxxxxxx>, selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> Sent: Wednesday, July 29, 2015 6:29:16 AM
>>> Subject: Re: [selinux] Re: Conflict between local module and local fcontext
>>>
>>> I removed this line:
>>>
>>>   /srv/lojban/irclogs(/.*)?
>>>   system_u:object_r:lojban_logger_logs_t:s0
>>>
>>> from the module's .fc file, since that was the only other use of
>>> lojban_logger_logs_t , and that line was non-functional as
>>> previously described, and now the fcontext command works.
>>>
>>> Yay!, but I don't get it at all.
>>
>> The purpose of that line in the .fc is to have you avoid running
>> `semanage fcontext -a -t lojban_logger_logs_t
>> '/srv/lojban/irclogs(/.*)?'` since the label for all files in that
>> path dir has been predefined. 
> 
> Yes, but:
> 
> 1.  it *doesn't work*, because I have an fcontent rule for
> /srv/loban(/.*)? that wins over the module in all cases
> 
> 2.  why does the fcontext command abort with:
> 
>   libsemanage.dbase_llist_query: could not query record value (No such file or directory).
>   OSError: No such file or directory
> 
> when that .fc line exists?, especially when the .fc line doesn't
> even *do* anything?
> 
> It's #2 that I don't get.  Seems like a bug to me?  At the very
> least, the error message is not helpful.

The message is not helpful indeed. The problem seems to be that you try
to add the same rule via semanage as you have already defined in .fc file.

You could try to use slightly different specified rules to overwrite
your local modification:


# matchpathcon /srv/lojban/irclogs/a
/srv/lojban/irclogs/a   system_u:object_r:lojban_logger_logs_t:s0

# semanage fcontext -a -t httpd_user_content_t '/srv/lojban(/.*)?'

# matchpathcon /srv/lojban/irclogs{,/a}
/srv/lojban/irclogs     system_u:object_r:httpd_user_content_t:s0
/srv/lojban/irclogs/a   system_u:object_r:httpd_user_content_t:s0


# semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs'

# matchpathcon /srv/lojban/irclogs{,/a}
/srv/lojban/irclogs     system_u:object_r:lojban_logger_logs_t:s0
/srv/lojban/irclogs/a   system_u:object_r:httpd_user_content_t:s0

# semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs/(.*)'

# matchpathcon /srv/lojban/irclogs{,/a}
/srv/lojban/irclogs     system_u:object_r:lojban_logger_logs_t:s0
/srv/lojban/irclogs/a   system_u:object_r:lojban_logger_logs_t:s0


-- 
Petr Lautrbach


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux