In Fedora users run unconfined, which, from my understand, means more or less without restrictions imposed by SELinux. Thus changing to sysadm_r shouldn't be necessary in the first place. That you cannot change the context probably is because that context isn't defined by the policy. > hi , every body ,I install selinux-policy-targeted in my F11,and run in > enforce mode. now I want to change selinux context of /tmp/test,but > failed.I thought current shell domain was unconfined_t. then I intend to > change my shell context to root:sysadm_r: sysadm_t ,but also failed. my > project team plan to develop selinux policy for our system based on > selinux-policy.src.rpm. I guess is this package have not been developed? > If it has been developed ,why I cannot change to sysadm_r: sysadm_t? > > --------------------------------------------------------------------------- >- > > [root@localhost ~]# ls -lZ /tmp/testselinux > root root unconfined_u:object_r:user_t:user_tmp_t: s0 /tmp/testselinux > > [root@localhost ~]#chcon unconfined_u:object_r:mytest_t /tmp/testselinux > chcon:failed to change context of '/tmp/testselinux' to > 'unconfined_u:object_r:testselinux: s0 : permission denied > > ## here mytest_t defined in myapp.pp,which has successfully loaded by > "semodule -i myapp.pp" > > [root@localhost ~]# newrole -r sysadm_r -t sysadm_t > unconfined_u:unconfined_r:unconfined_t: s0 is not valid context > > [root@localhost ~]# semanage login -m -s root -r s0-s0:c0.c1023 root > > after reboot, graphic terminal cannot run. audit says that > system_u:system_r: xdm_t require "read" permission for > system_u:object_r:httpd_sys_content_t. > > [root@localhost ~]# id > context= root:unconfined_r:unconfined_t: s0-s0:c0-c1023 > > [root@localhost ~]# newrole -r sysadm_r -t sysadm_t > failed to exec shell: permission denied > 2009-09-02 > > > > zheyeung
Attachment:
signature.asc
Description: This is a digitally signed message part.
