On Tue, 2008-05-13 at 09:03 -0400, Eric Paris wrote: > On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote: > > On Mon, May 12, 2008 at 5:26 PM, Eric Paris <eparis@xxxxxxxxxx> wrote: > > > > > > > > > Installing: selinux-policy ##################### [128/129] > > > Installing: selinux-policy-targeted ##################### [129/129] > > > libsemanage.dbase_llist_query: could not query record value > > > libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u > > > > Hmm...so you are installing a policy with MLS enabled, but tried to > > add a user without a MLS level. I think this is likely a > > bug/limitation of semanage, where it tries to deduce whether or not to > > include the MLS field based on whether the host has MLS enabled. > > This has come up before on selinux list; we need a libsemanage > > interface for querying whether MLS is enabled in the policy store vs. > > on the host. Or you could fake a /selinux/mls node that contains "1". > > I have one that has a 1\n inside the chroot, but I guess that wasn't > enough? Yes, I think its a fine idea to create such a store vs. host > check, but in either case they both 'should' have returned MLS=on.... The newline is the problem for you; libselinux is_selinux_mls_enabled() looks for an exact match against "1" since that is what the kernel has always returned. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
