Removing semanage-added rules (Was: only allow 1 port for listening)
Forrest Taylor
ftaylor at redhat.com
Wed Aug 8 19:16:20 UTC 2007
On Wed, 2007-08-08 at 13:45 -0500, Jason L Tibbitts III wrote:
> >>>>> "FT" == Forrest Taylor <ftaylor at redhat.com> writes:
>
> FT> Do a -l to list it, and use grep to match your rule ;o)
>
> I was trying to see if an fcontext pattern actually matched any files
> in the filesystem. Actually I'd like to know something more specific:
> if it actually has any effect. It could be covered by another rule.
>
> An example: I see a AVC denial on one file, add a rule to change the
> context on that file and realize later that I need a rule matching the
> whole directory. A week later and I'm cleaning up; can I really
> delete that first rule? There are a whole lot of fcontext rules; how
> do I know it really doesn't have any effect?
In that specific example, you could remove the file rule and use
restorecon to verify that it works as expected. It is rather difficult
to determine the file context without using some empirical evidence.
Note that file_type_auto_trans could also come into play here negating
the fcontext rules.
Forrest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070808/dcb48c25/attachment.sig>
More information about the fedora-selinux-list
mailing list