Re: semanage help - Daniel J Walsh

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Joshua Brindle <method@manicmethod.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	LC Bruzenak <lenny@MagitekLtd.com>,
	SE-Linux <selinux@tycho.nsa.gov>,
	Joshua Brindle <jbrindle@tresys.com>
Subject: Re: semanage help
Date: Thu, 30 Oct 2008 15:36:55 -0400	[thread overview]
Message-ID: <490A0CD7.5030402@redhat.com> (raw)
In-Reply-To: <4909FEFB.6000702@manicmethod.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stephen Smalley wrote:
>>  
>>> On Thu, 2008-10-23 at 13:41 -0500, LC Bruzenak wrote:
>>>    
>>>> On Thu, 2008-10-23 at 14:00 -0400, Stephen Smalley wrote:
>>>>      
>>>>> On Thu, 2008-10-23 at 13:29 -0400, Daniel J Walsh wrote:
>>>>>        
>>>>>> LC Bruzenak wrote:
>>>>>>          
>>>>>>> On Thu, 2008-10-23 at 13:10 -0400, Daniel J Walsh wrote:
>>>>>>> ...
>>>>>>>            
>>>>>>>> On Rawhide it seems to work
>>>>>>>>
>>>>>>>> # /usr/sbin/semanage fcontext -a -t prelude_spool_t -r s0:c0.c1023
>>>>>>>> '/var/spool/prelude(/.*)?'
>>>>>>>> # restorecon -R -v /var/spool/prelude/
>>>>>>>> restorecon reset /var/spool/prelude context
>>>>>>>> system_u:object_r:prelude_spool_t:s0->system_u:object_r:prelude_spool_t:s0:c0.c1023
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So I will patch policycoreutils.
>>>>>>>>
>>>>>>>>               
>>>>>>> Thanks Dan!
>>>>>>>
>>>>>>> LCB.
>>>>>>>
>>>>>>>             
>>>>>> Of course this is totally not intuitive to the user.
>>>>>>
>>>>>> He really wants to modify and existing fcontext so he needs to add
>>>>>> a new
>>>>>> conflicting one.
>>>>>>
>>>>>> This command should really be fixed to check if an exising global or
>>>>>> local exist,
>>>>>>
>>>>>> if a local exists it should modify if a global exists it should add.
>>>>>>           
>>>>> I think semanage port handles that situation correctly.  __modify uses
>>>>> the _exists interface to check existence (whether in policy or local),
>>>>> and uses the modify_local interface to update (which internally will
>>>>> fall back to an add if not already locally defined).
>>>>>
>>>>>         
>>>> It didn't seem to work this way with the patch - I could only add it
>>>> (then modify):
>>>>       
>>> I was saying that it works that way for semanage port already (not
>>> fcontext), so Dan can use that as an example of how to make it work for
>>> fcontext.
>>>
>>>    
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -t prelude_spool_t -r
>>>> s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>>> /usr/sbin/semanage: File context for /var/spool/prelude(/.*)? is not
>>>> defined
>>>>
>>>> [root@v1 ~]# rpm -qv policycoreutils
>>>> policycoreutils-2.0.57-5.fc10.i386
>>>>
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -a -t prelude_spool_t -r
>>>> s0:c0.c1023 '/var/spool/prelude(/.*)?'
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -m -r s0:c0.c1022
>>>> '/var/spool/prelude(/.*)?'
>>>>
>>>> - and so far restorecon works as expected.
>>>>
>>>> So to me it seems like the man page needs updating if this behavior is
>>>> desired (only local fcontext changes allowed). Seems fine to me; only
>>>> thing is the last one in the list wins I guess, vice only
>>>> last-occurring
>>>> duplicates displayed.:
>>>>
>>>> [root@v1 ~]# /usr/sbin/semanage fcontext -l | grep prelude
>>>> ...
>>>> /var/spool/prelude(/.*)?                           all
>>>> files          system_u:object_r:prelude_spool_t:s0 ...
>>>> /var/spool/prelude(/.*)?                           all
>>>> files          system_u:object_r:prelude_spool_t:s0:c0.c1022
>>>> Main thing for me is that it works so I can resume testing.
>>>> Thanks again!
>>>>
>>>> LCB.
>>>>
>>>>       
>> I believe policycoreutils-2.0.57-9.fc10 has the syntax correct now.
>>
>> Please try it out.
> 
> Did you send a patch for this? I didn't see one but I may have missed it.
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
No I would prefer to make sure it works for LC first before I submit the
patch.

Besides I have a lot of policycoreutils patches waiting to get applied,
already.

:^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkKDNcACgkQrlYvE4MpobOpZQCg3lrUxoQZ9Y+anVG5+tscZR9O
pXYAn0jXy9onn1I5ndzlOHH2BrMPYFH8
=UMKf
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-10-30 19:36 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-23  2:06 semanage help LC Bruzenak
2008-10-23 12:53 ` Stephen Smalley
2008-10-23 16:05   ` Daniel J Walsh
2008-10-23 16:29     ` Stephen Smalley
2008-10-23 17:10       ` Daniel J Walsh
2008-10-23 17:18         ` LC Bruzenak
2008-10-23 17:29           ` Daniel J Walsh
2008-10-23 18:00             ` Stephen Smalley
2008-10-23 18:41               ` LC Bruzenak
2008-10-23 18:48                 ` Stephen Smalley
2008-10-30 18:31                   ` Daniel J Walsh
2008-10-30 18:37                     ` Joshua Brindle
2008-10-30 19:36                       ` Daniel J Walsh [this message]
2008-10-31  1:26                     ` LC Bruzenak
2008-10-23 17:26       ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=490A0CD7.5030402@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=jbrindle@tresys.com \
    --cc=lenny@MagitekLtd.com \
    --cc=method@manicmethod.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.