-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Brindle wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Stephen Smalley wrote: >> >>> On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote: >>> >>>> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote: >>>> >>>>> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote: >>>>> >>>>>> LC Bruzenak wrote: >>>>>> >>>>>>> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote: >>>>>>> ... >>>>>>> >>>>>>>> On Rawhide it seems to work >>>>>>>> >>>>>>>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 >>>>>>>> '/var/spool/prelude(/.*)?' >>>>>>>> # restorecon -R -v /var/spool/prelude/ >>>>>>>> restorecon reset /var/spool/prelude context >>>>>>>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> So I will patch policycoreutils. >>>>>>>> >>>>>>>> >>>>>>> Thanks Dan! >>>>>>> >>>>>>> LCB. >>>>>>> >>>>>>> >>>>>> Of course this is totally not intuitive to the user. >>>>>> >>>>>> He really wants to modify and existing fcontext so he needs to add >>>>>> a new >>>>>> conflicting one. >>>>>> >>>>>> This command should really be fixed to check if an exising global or >>>>>> local exist, >>>>>> >>>>>> if a local exists it should modify if a global exists it should add. >>>>>> >>>>> I think semanage port handles that situation correctly. __modify uses >>>>> the _exists interface to check existence (whether in policy or local), >>>>> and uses the modify_local interface to update (which internally will >>>>> fall back to an add if not already locally defined). >>>>> >>>>> >>>> It didn't seem to work this way with the patch - I could only add it >>>> (then modify): >>>> >>> I was saying that it works that way for semanage port already (not >>> fcontext), so Dan can use that as an example of how to make it work for >>> fcontext. >>> >>> >>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r >>>> s0:c0.c1023 '/var/spool/prelude(/.*)?' >>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not >>>> defined >>>> >>>> [root@v1 ~]# rpm -qv policycoreutils >>>> policycoreutils-2.0.57-5.fc10.i386 >>>> >>>> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r >>>> s0:c0.c1023 '/var/spool/prelude(/.*)?' >>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 >>>> '/var/spool/prelude(/.*)?' >>>> >>>> - and so far restorecon works as expected. >>>> >>>> So to me it seems like the man page needs updating if this behavior is >>>> desired (only local fcontext changes allowed). Seems fine to me; only >>>> thing is the last one in the list wins I guess, vice only >>>> last-occurring >>>> duplicates displayed.: >>>> >>>> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude >>>> ... >>>> /var/spool/prelude(/.*)? all >>>> files system_u:object_r:prelude_spool_t:s0 ... >>>> /var/spool/prelude(/.*)? all >>>> files system_u:object_r:prelude_spool_t:s0:c0.c1022 >>>> Main thing for me is that it works so I can resume testing. >>>> Thanks again! >>>> >>>> LCB. >>>> >>>> >> I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now. >> >> Please try it out. > > Did you send a patch for this? I didn't see one but I may have missed it. > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > the words "unsubscribe selinux" without quotes as the message. No I would prefer to make sure it works for LC first before I submit the patch. Besides I have a lot of policycoreutils patches waiting to get applied, already. :^) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkKDNcACgkQrlYvE4MpobOpZQCg3lrUxoQZ9Y+anVG5+tscZR9O pXYAn0jXy9onn1I5ndzlOHH2BrMPYFH8 =UMKf -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
