> -----Original Message----- > From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list- > bounces@xxxxxxxxxx] On Behalf Of Bob Gustafson > Sent: Wednesday, May 26, 2004 8:34 PM > To: Fedora SELinux support list for users & developers. > Subject: Re: Difficulty compiling setools-1.3-2 > > I did a little more testing > > [user1@hoho2 user1]$ seuser show users > Could not access policy.conf file. Verify the location is valid in the > seuser.co > nf file. > [user1@hoho2 user1]$ > > At this point, I said 'whoops, remake of setools has same problem as > before' > > But then a minute later, when I was logged in as root, I did it again with > good results - no code change. > > [root@hoho2 user1]# > [root@hoho2 user1]# seuser show users > > system_u: system_r > user_u: user_r sysadm_r system_r > root: staff_r sysadm_r system_r > cyrus: cyrus_r > mailman: mailman_r > > > [root@hoho2 user1]# > > I don't know what the desired error message is for an ordinary user? I'm not certain either, but the error message that was returned was clearly no the right one. We'll work on some better error messages for a future release. > Are > mortal users discouraged from running seuser? If so, perhaps the policy > should just make it not executable for mortal users. > > If mortal users can run 'seuser', then perhaps the seuser.conf file has to > be accessible to the seuser program when being run by a mortal user. That > is my guess at why the error message comes up. > That is correct. Seuser is designed to only be run by sysadm_r - it is a trusted program with wide ranging access to the policy, so it is probably not appropriate for a normal user to run (this is all in the context of the strict policy - things are different under the targeted policy). If you simply what to see the users in the system, the better program to use is seinfo: [kmacmillan@pham setools-1.4]$ seinfo -u -x Users: 5 system_u system_r root system_r sysadm_r staff_r user_u system_r sysadm_r user_r cyrus cyrus_r mailman mailman_r Karl > > BobG > > > > On Wed, 26 May 2004 14:07:30 -0400, Stephen Smalley wrote: > >On Wed, 2004-05-26 at 14:01, Bob Gustafson wrote: > >> Thanks much, seems to work (I have a blank apol window popped up on my > >>screen) > >> > >> The Tresys version of setools-1.3.1.tgz is bigger and newer than the > one on > >> the NSA site. > > > >diff -ru on the expanded directories shows that the only difference is > >that the Tresys tarball has a spurious Attic directory under seuser. > >The tarball on the NSA site is built from our internal CVS tree, and we > >import new versions from Tresys as appropriate (but naturally don't > >import CVS internal files like the Attic directory). > > > >-- > >Stephen Smalley <sds@xxxxxxxxxxxxxx> > >National Security Agency > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list@xxxxxxxxxx > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
