semanage help

semanage help

[LC Bruzenak]

- get the file context -
[root@v1 ~]# semanage fcontext -l | grep prelude_spool
/var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
/var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 

So it seems that it knows about this path match.

- set the file range -
[root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
/usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined

[root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
/usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined

Can someone tell me what I'm doing wrong/how to fix?

Thanks in advance,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Stephen Smalley]

On Wed, 2008-10-22 at 21:06 -0500, LC Bruzenak wrote:
> - get the file context -
> [root@v1 ~]# semanage fcontext -l | grep prelude_spool
> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
> /var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 
> 
> So it seems that it knows about this path match.
> 
> - set the file range -
> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
> 
> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
> 
> Can someone tell me what I'm doing wrong/how to fix?

Looks like it is defined by a policy module, and semanage fcontext -m
can only modify local definitions.

I'd think that you could add a local definition to override it, ala:
/usr/sbin/semanage fcontext -a -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'

but that complains that it already exists.  Maybe it ought to be using
semanage_fcontext_exists_local() instead?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2008-10-22 at 21:06 -0500, LC Bruzenak wrote:
>> - get the file context -
>> [root@v1 ~]# semanage fcontext -l | grep prelude_spool
>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
>> /var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 
>>
>> So it seems that it knows about this path match.
>>
>> - set the file range -
>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>
>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>
>> Can someone tell me what I'm doing wrong/how to fix?
> 
> Looks like it is defined by a policy module, and semanage fcontext -m
> can only modify local definitions.
> 
> I'd think that you could add a local definition to override it, ala:
> /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'
> 
> but that complains that it already exists.  Maybe it ought to be using
> semanage_fcontext_exists_local() instead?
> 
Making that change ends up with and using postgrey instead of prelude.


# /usr/sbin/semanage fcontext -a -t postgrey_spool_t -r s0:c0.c1023
'/var/spool/postfix/postgrey(/.*)?'

/sbin/restorecon -r -v /var/spool/posfix/postgrey
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /var/spool/postfix/postgrey(/.*)?
(system_u:object_r:postgrey_spool_t:s0:c0.c1023 and
system_u:object_r:postgrey_spool_t:s0).




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Stephen Smalley]

On Thu, 2008-10-23 at 12:05 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Wed, 2008-10-22 at 21:06 -0500, LC Bruzenak wrote:
> >> - get the file context -
> >> [root@v1 ~]# semanage fcontext -l | grep prelude_spool
> >> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
> >> /var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 
> >>
> >> So it seems that it knows about this path match.
> >>
> >> - set the file range -
> >> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
> >> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
> >>
> >> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
> >> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
> >>
> >> Can someone tell me what I'm doing wrong/how to fix?
> > 
> > Looks like it is defined by a policy module, and semanage fcontext -m
> > can only modify local definitions.
> > 
> > I'd think that you could add a local definition to override it, ala:
> > /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'
> > 
> > but that complains that it already exists.  Maybe it ought to be using
> > semanage_fcontext_exists_local() instead?
> > 
> Making that change ends up with and using postgrey instead of prelude.
> 
> 
> # /usr/sbin/semanage fcontext -a -t postgrey_spool_t -r s0:c0.c1023
> '/var/spool/postfix/postgrey(/.*)?'

Not sure I understand - the command I ran above was for prelude_spool_t
and /var/spool/prelude, not postgrey.  Anyway, I thought we moved the
nodups_specs() check before reading of file_contexts.local so that local
specs could in fact override/duplicate base file_contexts.  In
libselinux 2.0.71.
> 
> /sbin/restorecon -r -v /var/spool/posfix/postgrey
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /var/spool/postfix/postgrey(/.*)?
> (system_u:object_r:postgrey_spool_t:s0:c0.c1023 and
> system_u:object_r:postgrey_spool_t:s0).
> 
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2008-10-23 at 12:05 -0400, Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-10-22 at 21:06 -0500, LC Bruzenak wrote:
>>>> - get the file context -
>>>> [root@v1 ~]# semanage fcontext -l | grep prelude_spool
>>>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
>>>> /var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 
>>>>
>>>> So it seems that it knows about this path match.
>>>>
>>>> - set the file range -
>>>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>>>
>>>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>>>
>>>> Can someone tell me what I'm doing wrong/how to fix?
>>> Looks like it is defined by a policy module, and semanage fcontext -m
>>> can only modify local definitions.
>>>
>>> I'd think that you could add a local definition to override it, ala:
>>> /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'
>>>
>>> but that complains that it already exists.  Maybe it ought to be using
>>> semanage_fcontext_exists_local() instead?
>>>
>> Making that change ends up with and using postgrey instead of prelude.
>>
>>
>> # /usr/sbin/semanage fcontext -a -t postgrey_spool_t -r s0:c0.c1023
>> '/var/spool/postfix/postgrey(/.*)?'
> 
> Not sure I understand - the command I ran above was for prelude_spool_t
> and /var/spool/prelude, not postgrey.  Anyway, I thought we moved the
> nodups_specs() check before reading of file_contexts.local so that local
> specs could in fact override/duplicate base file_contexts.  In
> libselinux 2.0.71.
>> /sbin/restorecon -r -v /var/spool/posfix/postgrey
>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
>> specifications for /var/spool/postfix/postgrey(/.*)?
>> (system_u:object_r:postgrey_spool_t:s0:c0.c1023 and
>> system_u:object_r:postgrey_spool_t:s0).
>>
>>
Did testing on Fedora 9 which did not have prelude installed, so I
changed, it for the test

# rpm -q libselinux
libselinux-2.0.67-4.fc9.x86_64
libselinux-2.0.67-4.fc9.i386

On Rawhide it seems to work

# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
'/var/spool/prelude(/.*)?'
# restorecon -R -v /var/spool/prelude/
restorecon reset /var/spool/prelude context
system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023


So I will patch policycoreutils.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[LC Bruzenak]

On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
...
> 
> On Rawhide it seems to work
> 
> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
> '/var/spool/prelude(/.*)?'
> # restorecon -R -v /var/spool/prelude/
> restorecon reset /var/spool/prelude context
> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
> 
> 
> So I will patch policycoreutils.
> 

Thanks Dan!

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2008-10-23 at 12:05 -0400, Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-10-22 at 21:06 -0500, LC Bruzenak wrote:
>>>> - get the file context -
>>>> [root@v1 ~]# semanage fcontext -l | grep prelude_spool
>>>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
>>>> /var/spool/prelude-manager(/.*)?                   all files          system_u:object_r:prelude_spool_t:s0 
>>>>
>>>> So it seems that it knows about this path match.
>>>>
>>>> - set the file range -
>>>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023  "/var/spool/prelude(/.*)?"
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>>>
>>>> [root@v1 ~]# semanage fcontext -m -r s15:c0.c1023 -t prelude_spool_t '/var/spool/prelude(/.*)?'
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>>>
>>>> Can someone tell me what I'm doing wrong/how to fix?
>>> Looks like it is defined by a policy module, and semanage fcontext -m
>>> can only modify local definitions.
>>>
>>> I'd think that you could add a local definition to override it, ala:
>>> /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'
>>>
>>> but that complains that it already exists.  Maybe it ought to be using
>>> semanage_fcontext_exists_local() instead?
>>>
>> Making that change ends up with and using postgrey instead of prelude.
>>
>>
>> # /usr/sbin/semanage fcontext -a -t postgrey_spool_t -r s0:c0.c1023
>> '/var/spool/postfix/postgrey(/.*)?'
> 
> Not sure I understand - the command I ran above was for prelude_spool_t
> and /var/spool/prelude, not postgrey.  Anyway, I thought we moved the
> nodups_specs() check before reading of file_contexts.local so that local
> specs could in fact override/duplicate base file_contexts.  In
> libselinux 2.0.71.
>> /sbin/restorecon -r -v /var/spool/posfix/postgrey
>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
>> specifications for /var/spool/postfix/postgrey(/.*)?
>> (system_u:object_r:postgrey_spool_t:s0:c0.c1023 and
>> system_u:object_r:postgrey_spool_t:s0).
>>
>>
policycoreutils-2.0.57-5.fc10 has the fix

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

LC Bruzenak wrote:
> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
> ...
>> On Rawhide it seems to work
>>
>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
>> '/var/spool/prelude(/.*)?'
>> # restorecon -R -v /var/spool/prelude/
>> restorecon reset /var/spool/prelude context
>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
>>
>>
>> So I will patch policycoreutils.
>>
> 
> Thanks Dan!
> 
> LCB.
> 
Of course this is totally not intuitive to the user.

He really wants to modify and existing fcontext so he needs to add a new
conflicting one.

This command should really be fixed to check if an exising global or
local exist,

if a local exists it should modify if a global exists it should add.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Stephen Smalley]

On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
> LC Bruzenak wrote:
> > On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
> > ...
> >> On Rawhide it seems to work
> >>
> >> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
> >> '/var/spool/prelude(/.*)?'
> >> # restorecon -R -v /var/spool/prelude/
> >> restorecon reset /var/spool/prelude context
> >> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
> >>
> >>
> >> So I will patch policycoreutils.
> >>
> > 
> > Thanks Dan!
> > 
> > LCB.
> > 
> Of course this is totally not intuitive to the user.
> 
> He really wants to modify and existing fcontext so he needs to add a new
> conflicting one.
> 
> This command should really be fixed to check if an exising global or
> local exist,
> 
> if a local exists it should modify if a global exists it should add.

I think semanage port handles that situation correctly.  __modify uses
the _exists interface to check existence (whether in policy or local),
and uses the modify_local interface to update (which internally will
fall back to an add if not already locally defined).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[LC Bruzenak]

On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
> > LC Bruzenak wrote:
> > > On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
> > > ...
> > >> On Rawhide it seems to work
> > >>
> > >> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
> > >> '/var/spool/prelude(/.*)?'
> > >> # restorecon -R -v /var/spool/prelude/
> > >> restorecon reset /var/spool/prelude context
> > >> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
> > >>
> > >>
> > >> So I will patch policycoreutils.
> > >>
> > > 
> > > Thanks Dan!
> > > 
> > > LCB.
> > > 
> > Of course this is totally not intuitive to the user.
> > 
> > He really wants to modify and existing fcontext so he needs to add a new
> > conflicting one.
> > 
> > This command should really be fixed to check if an exising global or
> > local exist,
> > 
> > if a local exists it should modify if a global exists it should add.
> 
> I think semanage port handles that situation correctly.  __modify uses
> the _exists interface to check existence (whether in policy or local),
> and uses the modify_local interface to update (which internally will
> fall back to an add if not already locally defined).
> 

It didn't seem to work this way with the patch - I could only add it
(then modify):

[root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
/usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined

[root@v1 ~]# rpm -qv policycoreutils
policycoreutils-2.0.57-5.fc10.i386

[root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
[root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?'

- and so far restorecon works as expected.

So to me it seems like the man page needs updating if this behavior is
desired (only local fcontext changes allowed). Seems fine to me; only
thing is the last one in the list wins I guess, vice only last-occurring
duplicates displayed.:

[root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
...
/var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
...
/var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0:c0.c1022 

Main thing for me is that it works so I can resume testing.
Thanks again!

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Stephen Smalley]

On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
> > On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
> > > LC Bruzenak wrote:
> > > > On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
> > > > ...
> > > >> On Rawhide it seems to work
> > > >>
> > > >> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
> > > >> '/var/spool/prelude(/.*)?'
> > > >> # restorecon -R -v /var/spool/prelude/
> > > >> restorecon reset /var/spool/prelude context
> > > >> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
> > > >>
> > > >>
> > > >> So I will patch policycoreutils.
> > > >>
> > > > 
> > > > Thanks Dan!
> > > > 
> > > > LCB.
> > > > 
> > > Of course this is totally not intuitive to the user.
> > > 
> > > He really wants to modify and existing fcontext so he needs to add a new
> > > conflicting one.
> > > 
> > > This command should really be fixed to check if an exising global or
> > > local exist,
> > > 
> > > if a local exists it should modify if a global exists it should add.
> > 
> > I think semanage port handles that situation correctly.  __modify uses
> > the _exists interface to check existence (whether in policy or local),
> > and uses the modify_local interface to update (which internally will
> > fall back to an add if not already locally defined).
> > 
> 
> It didn't seem to work this way with the patch - I could only add it
> (then modify):

I was saying that it works that way for semanage port already (not
fcontext), so Dan can use that as an example of how to make it work for
fcontext.

> 
> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
> 
> [root@v1 ~]# rpm -qv policycoreutils
> policycoreutils-2.0.57-5.fc10.i386
> 
> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?'
> 
> - and so far restorecon works as expected.
> 
> So to me it seems like the man page needs updating if this behavior is
> desired (only local fcontext changes allowed). Seems fine to me; only
> thing is the last one in the list wins I guess, vice only last-occurring
> duplicates displayed.:
> 
> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
> ...
> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
> ...
> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0:c0.c1022 
> 
> Main thing for me is that it works so I can resume testing.
> Thanks again!
> 
> LCB.
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
>> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
>>> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
>>>> LC Bruzenak wrote:
>>>>> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
>>>>> ...
>>>>>> On Rawhide it seems to work
>>>>>>
>>>>>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
>>>>>> '/var/spool/prelude(/.*)?'
>>>>>> # restorecon -R -v /var/spool/prelude/
>>>>>> restorecon reset /var/spool/prelude context
>>>>>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
>>>>>>
>>>>>>
>>>>>> So I will patch policycoreutils.
>>>>>>
>>>>> Thanks Dan!
>>>>>
>>>>> LCB.
>>>>>
>>>> Of course this is totally not intuitive to the user.
>>>>
>>>> He really wants to modify and existing fcontext so he needs to add a new
>>>> conflicting one.
>>>>
>>>> This command should really be fixed to check if an exising global or
>>>> local exist,
>>>>
>>>> if a local exists it should modify if a global exists it should add.
>>> I think semanage port handles that situation correctly.  __modify uses
>>> the _exists interface to check existence (whether in policy or local),
>>> and uses the modify_local interface to update (which internally will
>>> fall back to an add if not already locally defined).
>>>
>> It didn't seem to work this way with the patch - I could only add it
>> (then modify):
> 
> I was saying that it works that way for semanage port already (not
> fcontext), so Dan can use that as an example of how to make it work for
> fcontext.
> 
>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>
>> [root@v1 ~]# rpm -qv policycoreutils
>> policycoreutils-2.0.57-5.fc10.i386
>>
>> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?'
>>
>> - and so far restorecon works as expected.
>>
>> So to me it seems like the man page needs updating if this behavior is
>> desired (only local fcontext changes allowed). Seems fine to me; only
>> thing is the last one in the list wins I guess, vice only last-occurring
>> duplicates displayed.:
>>
>> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
>> ...
>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
>> ...
>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0:c0.c1022 
>>
>> Main thing for me is that it works so I can resume testing.
>> Thanks again!
>>
>> LCB.
>>
I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.

Please try it out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkJ/YQACgkQrlYvE4MpobMEcgCfcGlQlXNgRlmjZovc+xyeLFMR
NaIAn1UBc36XD+hkhB1ycd0xgiqFNFkG
=es5X
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Joshua Brindle]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stephen Smalley wrote:
>   
>> On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
>>     
>>> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
>>>       
>>>> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
>>>>         
>>>>> LC Bruzenak wrote:
>>>>>           
>>>>>> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
>>>>>> ...
>>>>>>             
>>>>>>> On Rawhide it seems to work
>>>>>>>
>>>>>>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
>>>>>>> '/var/spool/prelude(/.*)?'
>>>>>>> # restorecon -R -v /var/spool/prelude/
>>>>>>> restorecon reset /var/spool/prelude context
>>>>>>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
>>>>>>>
>>>>>>>
>>>>>>> So I will patch policycoreutils.
>>>>>>>
>>>>>>>               
>>>>>> Thanks Dan!
>>>>>>
>>>>>> LCB.
>>>>>>
>>>>>>             
>>>>> Of course this is totally not intuitive to the user.
>>>>>
>>>>> He really wants to modify and existing fcontext so he needs to add a new
>>>>> conflicting one.
>>>>>
>>>>> This command should really be fixed to check if an exising global or
>>>>> local exist,
>>>>>
>>>>> if a local exists it should modify if a global exists it should add.
>>>>>           
>>>> I think semanage port handles that situation correctly.  __modify uses
>>>> the _exists interface to check existence (whether in policy or local),
>>>> and uses the modify_local interface to update (which internally will
>>>> fall back to an add if not already locally defined).
>>>>
>>>>         
>>> It didn't seem to work this way with the patch - I could only add it
>>> (then modify):
>>>       
>> I was saying that it works that way for semanage port already (not
>> fcontext), so Dan can use that as an example of how to make it work for
>> fcontext.
>>
>>     
>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not defined
>>>
>>> [root@v1 ~]# rpm -qv policycoreutils
>>> policycoreutils-2.0.57-5.fc10.i386
>>>
>>> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022 '/var/spool/prelude(/.*)?'
>>>
>>> - and so far restorecon works as expected.
>>>
>>> So to me it seems like the man page needs updating if this behavior is
>>> desired (only local fcontext changes allowed). Seems fine to me; only
>>> thing is the last one in the list wins I guess, vice only last-occurring
>>> duplicates displayed.:
>>>
>>> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
>>> ...
>>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0 
>>> ...
>>> /var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0:c0.c1022 
>>>
>>> Main thing for me is that it works so I can resume testing.
>>> Thanks again!
>>>
>>> LCB.
>>>
>>>       
> I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.
>
> Please try it out.

Did you send a patch for this? I didn't see one but I may have missed it.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stephen Smalley wrote:
>>  
>>> On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
>>>    
>>>> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
>>>>      
>>>>> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
>>>>>        
>>>>>> LC Bruzenak wrote:
>>>>>>          
>>>>>>> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
>>>>>>> ...
>>>>>>>            
>>>>>>>> On Rawhide it seems to work
>>>>>>>>
>>>>>>>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
>>>>>>>> '/var/spool/prelude(/.*)?'
>>>>>>>> # restorecon -R -v /var/spool/prelude/
>>>>>>>> restorecon reset /var/spool/prelude context
>>>>>>>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So I will patch policycoreutils.
>>>>>>>>
>>>>>>>>               
>>>>>>> Thanks Dan!
>>>>>>>
>>>>>>> LCB.
>>>>>>>
>>>>>>>             
>>>>>> Of course this is totally not intuitive to the user.
>>>>>>
>>>>>> He really wants to modify and existing fcontext so he needs to add
>>>>>> a new
>>>>>> conflicting one.
>>>>>>
>>>>>> This command should really be fixed to check if an exising global or
>>>>>> local exist,
>>>>>>
>>>>>> if a local exists it should modify if a global exists it should add.
>>>>>>           
>>>>> I think semanage port handles that situation correctly.  __modify uses
>>>>> the _exists interface to check existence (whether in policy or local),
>>>>> and uses the modify_local interface to update (which internally will
>>>>> fall back to an add if not already locally defined).
>>>>>
>>>>>         
>>>> It didn't seem to work this way with the patch - I could only add it
>>>> (then modify):
>>>>       
>>> I was saying that it works that way for semanage port already (not
>>> fcontext), so Dan can use that as an example of how to make it work for
>>> fcontext.
>>>
>>>    
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r
>>>> s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not
>>>> defined
>>>>
>>>> [root@v1 ~]# rpm -qv policycoreutils
>>>> policycoreutils-2.0.57-5.fc10.i386
>>>>
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r
>>>> s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022
>>>> '/var/spool/prelude(/.*)?'
>>>>
>>>> - and so far restorecon works as expected.
>>>>
>>>> So to me it seems like the man page needs updating if this behavior is
>>>> desired (only local fcontext changes allowed). Seems fine to me; only
>>>> thing is the last one in the list wins I guess, vice only
>>>> last-occurring
>>>> duplicates displayed.:
>>>>
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
>>>> ...
>>>> /var/spool/prelude(/.*)?                           all
>>>> files          system_u:object_r:prelude_spool_t:s0 ...
>>>> /var/spool/prelude(/.*)?                           all
>>>> files          system_u:object_r:prelude_spool_t:s0:c0.c1022
>>>> Main thing for me is that it works so I can resume testing.
>>>> Thanks again!
>>>>
>>>> LCB.
>>>>
>>>>       
>> I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.
>>
>> Please try it out.
> 
> Did you send a patch for this? I didn't see one but I may have missed it.
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
No I would prefer to make sure it works for LC first before I submit the
patch.

Besides I have a lot of policycoreutils patches waiting to get applied,
already.

:^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkKDNcACgkQrlYvE4MpobOpZQCg3lrUxoQZ9Y+anVG5+tscZR9O
pXYAn0jXy9onn1I5ndzlOHH2BrMPYFH8
=UMKf
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage help

[LC Bruzenak]

On Thu, 2008-10-30 at 14:31 -0400, Daniel J Walsh wrote:

> >>
> I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.
> 
> Please try it out.

Dan,

I believe it works as expected but there is a warning printed:

[root@v1 Download]# semanage fcontext -l | grep prelude
...
/var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s0
...

[root@v1 Download]# semanage fcontext -m -t prelude_spool_t -r s15:c0.c1023 '/var/spool/prelude(/.*)?'
libsemanage.dbase_llist_query: could not query record value
[root@v1 Download]# echo $?
0

[root@v1 Download]# semanage fcontext -l | grep prelude
...
/var/spool/prelude(/.*)?                           all files          system_u:object_r:prelude_spool_t:s15:c0.c1023 
...

Thanks,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.