On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote: > On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote: > > LC Bruzenak wrote: > > > On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote: > > > ... > > >> On Rawhide it seems to work > > >> > > >> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 > > >> '/var/spool/prelude(/.*)?' > > >> # restorecon -R -v /var/spool/prelude/ > > >> restorecon reset /var/spool/prelude context > > >> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023 > > >> > > >> > > >> So I will patch policycoreutils. > > >> > > > > > > Thanks Dan! > > > > > > LCB. > > > > > Of course this is totally not intuitive to the user. > > > > He really wants to modify and existing fcontext so he needs to add a new > > conflicting one. > > > > This command should really be fixed to check if an exising global or > > local exist, > > > > if a local exists it should modify if a global exists it should add. > > I think semanage port handles that situation correctly. __modify uses > the _exists interface to check existence (whether in policy or local), > and uses the modify_local interface to update (which internally will > fall back to an add if not already locally defined). > It didn't seem to work this way with the patch - I could only add it (then modify): [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?' /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined [root@v1 ~]# rpm -qv policycoreutils policycoreutils-2.0.57-5.fc10.i386 [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?' [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?' - and so far restorecon works as expected. So to me it seems like the man page needs updating if this behavior is desired (only local fcontext changes allowed). Seems fine to me; only thing is the last one in the list wins I guess, vice only last-occurring duplicates displayed.: [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude ... /var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0 ... /var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0:c0.c1022 Main thing for me is that it works so I can resume testing. Thanks again! LCB. -- LC (Lenny) Bruzenak lenny@xxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
