I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same specifications". Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same specifications". Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
Yes, for security reasons, /dev/null is being used as the homedir for users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinu x
genhomedircon is looking at homedirs of what it considers real users. and generating file context based on this. This is going to cause a problem if all the users have the same homedir /dev/null. Which is what you are seeing. I don't think in RHEL5 there is a way to stop genhomedircon from being run.
usepasswd=FALSE
in /etc/selinux/semanage.conf does this in RHEL6.
Do these users actually login to the the system, if not changing their shell to /bin/false or /sbin/nologin will stop genhomedircon from adding homedir entries.
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinu x
genhomedircon is looking at homedirs of what it considers real users. and generating file context based on this. This is going to cause a problem if all the users have the same homedir /dev/null. Which is what you are seeing. I don't think in RHEL5 there is a way to stop genhomedircon from being run.
usepasswd=FALSE
in /etc/selinux/semanage.conf does this in RHEL6.
Do these users actually login to the the system, if not changing their shell to /bin/false or /sbin/nologin will stop genhomedircon from adding homedir entries.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them, without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
Dan,
I have created SeLinux users which can take on roles of system_r and sysadm_r and tied them the Linux users created (though they are nologin). This is needed so that these linux users can execute applications in our product taking on system_r or sysadm_r roles.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:53 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for
users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them,
without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
Dan,
I have created SeLinux users which can take on roles of system_r and sysadm_r and tied them the Linux users created (though they are nologin). This is needed so that these linux users can execute applications in our product taking on system_r or sysadm_r roles.
Thanks, Radha.
Right but how do they get logged on to the machine?
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:53 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for
users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them,
without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
These users do not log onto the machine. They just execute these applications (su / sudo)
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 2:13 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
Dan,
I have created SeLinux users which can take on roles of system_r and sysadm_r and tied them the Linux users created (though they are nologin). This is needed so that these linux users can execute applications in our product taking on system_r or sysadm_r roles.
Thanks, Radha.
Right but how do they get logged on to the machine?
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:53 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for
users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on
startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them,
without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Dan,
Clarifying my email / question further - The login is as an admin user, and su / sudo is done to execute the applications as these users mentioned below (nologin users). What action can I take to prevent the warnings for multiple specifications?
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 2:13 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
Dan,
I have created SeLinux users which can take on roles of system_r and sysadm_r and tied them the Linux users created (though they are nologin). This is needed so that these linux users can execute applications in our product taking on system_r or sysadm_r roles.
Thanks, Radha.
Right but how do they get logged on to the machine?
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:53 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for
users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on
startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them,
without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/18/2010 12:38 PM, Radha Venkatesh (radvenka) wrote:
Dan,
Clarifying my email / question further - The login is as an admin user, and su / sudo is done to execute the applications as these users mentioned below (nologin users). What action can I take to prevent the warnings for multiple specifications?
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 2:13 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 04:58 PM, Radha Venkatesh (radvenka) wrote:
Dan,
I have created SeLinux users which can take on roles of system_r and sysadm_r and tied them the Linux users created (though they are nologin). This is needed so that these linux users can execute applications in our product taking on system_r or sysadm_r roles.
Thanks, Radha.
Right but how do they get logged on to the machine?
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:53 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:27 PM, Radha Venkatesh (radvenka) wrote:
Dan,
These users do not login to the system and their shells are already set to /sbin/nologin.
Thanks, Radha.
Then why are you assigning user context to the accounts. genhomedircon must have a bug in that it is ignoring the shell if the user has an assigned seusers label.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:18 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 03:11 PM, Radha Venkatesh (radvenka) wrote:
Yes, for security reasons, /dev/null is being used as the homedir for
users in our product.
Thanks, Radha.
-----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Friday, October 15, 2010 12:02 PM To: Radha Venkatesh (radvenka) Cc: fedora-selinux-list@redhat.com Subject: Re: Addition of selinux users causes "Multiple same specifications" warnings during startup
On 10/15/2010 02:33 PM, Radha Venkatesh (radvenka) wrote:
I have created SeLinux users using "semanage user" and tied the SeLinux users to Linux users using "semanage login". I find that on
startup, there are several warnings thrown for "Multiple same
specifications".
Below is an example
/etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /dev/null/.screenrc
I then checked and found that file_contexts has
file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- ccmusergrp_u:object_r:user_screen_ro_home_t:s0 file_contexts.homedirs:/dev/null/.screenrc -- specialuser_u:object_r:user_screen_ro_home_t:s0
Looks like there is an entry for every Linux user I tied to the SeLinux user.
I am using
libselinux-1.33.4-5.5.el5 libsemanage-1.9.1-4.4.el5 policycoreutils-1.33.12-14.8.el5 libsepol-1.15.2-3.el5
and do not have an option to move to later releases.
Is there a way for me to get rid of these warnings or suppress them,
without changing the source code provided by RedHat?
Thanks, Radha.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
This looks like /dev/null is defined as a homedir?
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes if a user never logs into a system there is no reason to associate a login record to that account.
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test ------------------------------------------------------------------ When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Thanks & Best Regards, Su Heng
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
rpm -q policycoreutils
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi Daniel,
Thanks for your reply. Please see my remarks,Thanks.
On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
[Su Heng:] Which bug describe it and could u give me a URL as a reference?
rpm -q policycoreutils
[Su Heng:] What is this line used for? I get a result under my shell: [root@localhost suheng]# rpm -q policycoreutils policycoreutils-2.0.74-4.fc12.i686
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
[Su Heng:] Yes, thanks, the same error still. And I want know the solution for this issue. Could u give me some more details to fix it?
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
[Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want both of samba and httpd can access it. If I change the type of this directory to "samba_share_t", httpd won't access it. At this time I have to switch the type of this directory frequently. As I know, RBAC can let more than one "Subject" to access the same "Object". So, can a folder or file(Object) can have more than one type? How selinux implements this? to use policy configure?
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8XhQACgkQrlYvE4MpobNZnACg2t5t/FhYW/Uu0qj2nSaabi2t p+4Ani7GbglSmdwsdBvwz2hrGVMRvrGW =25Nd -----END PGP SIGNATURE-----
Thanks & Best Regards, Su Heng
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/20/2010 07:48 AM, su heng wrote:
Hi Daniel,
Thanks for your reply. Please see my remarks,Thanks.
On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote: On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
[Su Heng:] Which bug describe it and could u give me a URL as a reference?
I was suggesting that you report one. This seems to work in F13 and beyond.
rpm -q policycoreutils
[Su Heng:] What is this line used for? I get a result under my shell: [root@localhost suheng]# rpm -q policycoreutils policycoreutils-2.0.74-4.fc12.i686
Please attempt to yum -y update policycoreutils
To get newer version of policycoreutils.
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
[Su Heng:] Yes, thanks, the same error still. And I want know the solution for this issue. Could u give me some more details to fix it?
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
[Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want both of samba and httpd can access it. If I change the type of this directory to "samba_share_t", httpd won't access it. At this time I have to switch the type of this directory frequently. As I know, RBAC can let more than one "Subject" to access the same "Object". So, can a folder or file(Object) can have more than one type? How selinux implements this? to use policy configure?
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks & Best Regards, Su Heng
You want to set the context to public_content_t or public_content_rw_t if you want one of apache or samba to have write access.
man samba_selinux man httpd_selinux
Will excplain this.
Hi Daniel,
Thanks a lot. Your solution has fixed the issue about delete type of my file or directory. And thank you for suggesting read man selinux of httpd and samaba.
Thanks & Best Regards, Su Heng
On Tue, 2010-10-19 at 09:13 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/20/2010 07:48 AM, su heng wrote:
Hi Daniel,
Thanks for your reply. Please see my remarks,Thanks.
On Mon, 2010-10-18 at 10:47 -0400, Daniel J Walsh wrote: On 10/19/2010 09:33 AM, su heng wrote:
Hi,
I have two problem want to fix.
Firstly,
[root@localhost tmp]# mkdir test [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 test [root@localhost tmp]# semanage fcontext -a -t samba_share_t "/tmp/test(/.*)?" [root@localhost tmp]# restorecon -R -v /tmp/test/ restorecon reset /tmp/test context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:samba_share_t:s0 [root@localhost tmp]# ls -dZ test drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 test
When I tried to delete the type, an error happened. [root@localhost tmp]# semanage fcontext -d /tmp/test/ Can't create lock file '/var/cache/abrt/pyhook-1287493825-3446.lock': Permission denied Traceback (most recent call last): File "/usr/sbin/semanage", line 501, in <module> process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 437, in process_args OBJECT.delete(target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1623, in delete self.__delete( target, ftype) File "/usr/lib/python2.6/site-packages/seobject.py", line 1594, in __delete if target in self.equiv.keys(): AttributeError: fcontextRecords instance has no attribute 'equiv'
This looks like a bug in semanage
[Su Heng:] Which bug describe it and could u give me a URL as a reference?
I was suggesting that you report one. This seems to work in F13 and beyond.
rpm -q policycoreutils
[Su Heng:] What is this line used for? I get a result under my shell: [root@localhost suheng]# rpm -q policycoreutils policycoreutils-2.0.74-4.fc12.i686
Please attempt to yum -y update policycoreutils
To get newer version of policycoreutils.
This line # semanage fcontext -d /tmp/test/
should be # semanage fcontext -d "/tmp/test(/.*)?"
[Su Heng:] Yes, thanks, the same error still. And I want know the solution for this issue. Could u give me some more details to fix it?
But it looks like you will still have the bug.
And I have searched from Google, there is a bug has been reported. So I update it to the latest selinux-policy. The error still. How should I do?
Secondly, I have read the document which resided on fedora site. I have a question. We can change the type or the domain of a file or process which can let us pass through the check of se-linux. And we also can write a policy file to pass through se-linux.
These two methods are the same destination? If so, which one is better when we try to use and why? If not, Please give me some suggestion about the difference and when we should to use for them?
Not sure I understand the question. I would say you want to change the domain of the process or the context of the file to match the truth. For example, if you have a file that needs to be shared by samba then it is usually better to change the label to samba_share_t rather then run the samba process as an unconfined process.
But it is best for you to describe the exact problem that you are having with SELinux
[Su Heng:] I mean I have a folder path "/tmp/share_for_smb_www". I want both of samba and httpd can access it. If I change the type of this directory to "samba_share_t", httpd won't access it. At this time I have to switch the type of this directory frequently. As I know, RBAC can let more than one "Subject" to access the same "Object". So, can a folder or file(Object) can have more than one type? How selinux implements this? to use policy configure?
Thanks & Best Regards, Su Heng
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks & Best Regards, Su Heng
You want to set the context to public_content_t or public_content_rw_t if you want one of apache or samba to have write access.
man samba_selinux man httpd_selinux
Will excplain this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky9mXIACgkQrlYvE4MpobMG4QCg4YPylHXGJGzC4h9Yf5/ZrPph EpIAnAyK3StIB18a4Lwqtk+ncuPTdhUZ =BrZW -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org