Am 22.02.2014 um 13:00 schrieb selinux-request@xxxxxxxxxxxxxxxxxxxxxxx: > Send selinux mailing list submissions to > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.fedoraproject.org/mailman/listinfo/selinux > or, via email, send a message with subject or body 'help' to > selinux-request@xxxxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of selinux digest..." > > > Today's Topics: > > 1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 21 Feb 2014 07:06:26 -0800 (PST) > From: Andy Ruch <adruch2002@xxxxxxxxx> > To: Miroslav Grepl <mgrepl@xxxxxxxxxx> > Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>, Fedora SELinux > <selinux@xxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: semanage error when upgrading to RHEL 6.5 > Message-ID: > <1392995186.92907.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=utf-8 > > > > > > >> On Friday, February 21, 2014 1:55 AM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote: >>> On 02/20/2014 11:30 PM, Andy Ruch wrote: >>> >>> >>> >>> >>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh >> <dwalsh@xxxxxxxxxx> wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> On 02/20/2014 04:44 PM, Andy Ruch wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh >>>>>> <dwalsh@xxxxxxxxxx> wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh >>>>>> <dwalsh@xxxxxxxxxx> >>>>>>> wrote: >>>>>>> >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>> Hash: SHA1 >>>>>>>> >>>>>>>> >>>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have a policy that was originally written for >> RHEL 6.2. >>>> I’m now >>>>>>>>> trying to upgrade to RHEL 6.5 and I’m having >> problems with >>>>>> semanage. I >>>>>>>>> can install a fresh RHEL 6.5 system with the >> targeted >>>> policy and >>>>>>>>> everything works fine. I then uninstall the >> targeted policy >>>> and >>>>>> install >>>>>>>>> my policy and I can’t link the linux user and >> selinux user. >>>>>>>>> >>>>>>>>>>> semanage user –a -R sysadm_r -R staff_r >> -r >>>> s0-s0:c0.c1023 >>>>>>>>>>> testuser_u useradd -G wheel testuser >> semanage login >>>> -a -r >>>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser >>>>>>>>> libsemanage.dbase_llist_query: could not query >> record value >>>>>>>>> /usr/sbin/semanage: Could not query user for >> testuser >>>>>>>>> >>>>>>>>> >>>>>>>>> I have the RHEL 6.5 source code for libsemanage >> and the >>>> targeted >>>>>> policy >>>>>>>>> but so far I haven't been able to find >> differences that >>>> would >>>>>> affect >>>>>>>>> this problem. Could someone please point me in >> the right >>>> direction >>>>>> as >>>>>>>>> far as what semanage is expecting? What would >> prevent >>>> libsemanage >>>>>> from >>>>>>>>> querying for the user? >>>>>>>>> >>>>>>>>> Thanks, Andy >>>>>>>>> >>>>>>>>> >>>>>>>>> -- selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>>> >> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>>>> >>>>>>>> What does semanage login -l and semanage user -l >> show? >>>> -----BEGIN >>>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using >> GnuPG with >>>>>>>> Thunderbird >>>>>> - >>>>>>>> http://www.enigmail.net/ >>>>>>>> >>>>>>>> >>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX >>>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP >>>> SIGNATURE----- >>>>>>> semanage user -l shows: >>>>>>> >>>>>>> >>>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS >> Level >>>> MCS >>>>>>> Range SELinux Roles >>>>>>> >>>>>>> root user s0 s0-s0:c0.c1023 >> system_r >>>> system_u >>>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u >> user >>>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u >> user >>>>>>> s0 s0 user_r >>>>>>> >>>>>>> >>>>>>> >>>>>>> semanage login -l shows: >>>>>>> >>>>>>> >>>>>>> Login Name SELinux User >> MLS/MCS Range >>>>>>> >>>>>>> >>>>>>> root root >> s0-s0:c0.c1023 >>>>>>> system_u system_u >> s0-s0:c0.c1023 >>>> -- >>>>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>>>> >>>>>>> >>>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP >> SIGNATURE----- >>>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - >>>>>> http://www.enigmail.net/ >>>>>> >>>>>> >> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai >>>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs >>>>>> >>>>>> -----END PGP SIGNATURE----- >>>>>> >>>>> >>>>> Yes. The commands "semanage user -a" and >> "useradd" >>>> appear to work fine. >>>>> It's the "semanage login -a" that has trouble. >>>>> >>>> And this is with the stock policycoreutils or a rebuilt one? >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1 >>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>>> >>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v >>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H >>>> =gXXZ >>>> >>>> -----END PGP SIGNATURE----- >>>> >>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy >> and selinux-policy-targeted RPMs and add my policy RPMs. >> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> Probably not related but could you test it in permissive? >> >> Also any chance to strace it and send us your output? >> >> Regards, >> Miroslav >> > > Sorry. I should have specified that earlier. This has all been in permissive. > > I will work on getting an strace. > > > ------------------------------ > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > End of selinux Digest, Vol 120, Issue 16 > **************************************** -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
