Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
LC Bruzenak wrote:
On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
...
On Rawhide it seems to work
# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
'/var/spool/prelude(/.*)?'
# restorecon -R -v /var/spool/prelude/
restorecon reset /var/spool/prelude context
system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
So I will patch policycoreutils.
Thanks Dan!
LCB.
Of course this is totally not intuitive to the user.
He really wants to modify and existing fcontext so he needs to add a new
conflicting one.
This command should really be fixed to check if an exising global or
local exist,
if a local exists it should modify if a global exists it should add.
I think semanage port handles that situation correctly. __modify uses
the _exists interface to check existence (whether in policy or local),
and uses the modify_local interface to update (which internally will
fall back to an add if not already locally defined).
It didn't seem to work this way with the patch - I could only add it
(then modify):
I was saying that it works that way for semanage port already (not
fcontext), so Dan can use that as an example of how to make it work for
fcontext.
[root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
/usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
[root@v1 ~]# rpm -qv policycoreutils
policycoreutils-2.0.57-5.fc10.i386
[root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
[root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?'
- and so far restorecon works as expected.
So to me it seems like the man page needs updating if this behavior is
desired (only local fcontext changes allowed). Seems fine to me; only
thing is the last one in the list wins I guess, vice only last-occurring
duplicates displayed.:
[root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
...
/var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0
...
/var/spool/prelude(/.*)? all files system_u:object_r:prelude_spool_t:s0:c0.c1022
Main thing for me is that it works so I can resume testing.
Thanks again!
LCB.
I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.
Please try it out.
Did you send a patch for this? I didn't see one but I may have missed it.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
