On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote: > On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote: > > On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote: > > > LC Bruzenak wrote: > > > > On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote: > > > > ... > > > >> On Rawhide it seems to work > > > >> > > > >> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 > > > >> '/var/spool/prelude(/.*)?' > > > >> # restorecon -R -v /var/spool/prelude/ > > > >> restorecon reset /var/spool/prelude context > > > >> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023 > > > >> > > > >> > > > >> So I will patch policycoreutils. > > > >> > > > > > > > > Thanks Dan! > > > > > > > > LCB. > > > > > > > Of course this is totally not intuitive to the user. > > > > > > He really wants to modify and existing fcontext so he needs to add a new > > > conflicting one. > > > > > > This command should really be fixed to check if an exising global or > > > local exist, > > > > > > if a local exists it should modify if a global exists it should add. > > > > I think semanage port handles that situation correctly. __modify uses > > the _exists interface to check existence (whether in policy or local), > > and uses the modify_local interface to update (which internally will > > fall back to an add if not already locally defined). > > > > It didn't seem to work this way with the patch - I could only add it > (then modify): I was saying that it works that way for semanage port already (not fcontext), so Dan can use that as an example of how to make it work for fcontext. > > [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?' > /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined > > [root@v1 ~]# rpm -qv policycoreutils > policycoreutils-2.0.57-5.fc10.i386 > > [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?' > [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?' > > - and so far restorecon works as expected. > > So to me it seems like the man page needs updating if this behavior is > desired (only local fcontext changes allowed). Seems fine to me; only > thing is the last one in the list wins I guess, vice only last-occurring > duplicates displayed.: > > [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude > ... > /var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0 > ... > /var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0:c0.c1022 > > Main thing for me is that it works so I can resume testing. > Thanks again! > > LCB. > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
