Re: selinux Digest, Vol 120, Issue 17

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 22.02.2014 um 16:14 schrieb selinux-request@xxxxxxxxxxxxxxxxxxxxxxx:

> Send selinux mailing list submissions to
> 	selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> 	selinux-request@xxxxxxxxxxxxxxxxxxxxxxx
> 
> You can reach the person managing the list at
> 	selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: selinux Digest, Vol 120, Issue 14 (Lucrecia Trippel)
>   2. Re: selinux Digest, Vol 120, Issue 15 (Lucrecia Trippel)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 22 Feb 2014 16:13:48 +0100
> From: Lucrecia Trippel <antracit2009@xxxxxxxxx>
> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: selinux Digest, Vol 120, Issue 14
> Message-ID: <31477F4C-C6DF-4598-AB74-8C2490985E74@xxxxxxxxx>
> Content-Type: text/plain; charset=windows-1252
> 
> 
> Am 20.02.2014 um 23:23 schrieb selinux-request@xxxxxxxxxxxxxxxxxxxxxxx:
> 
>> Send selinux mailing list submissions to
>> 	selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
>> or, via email, send a message with subject or body 'help' to
>> 	selinux-request@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> You can reach the person managing the list at
>> 	selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of selinux digest..."
>> 
>> 
>> Today's Topics:
>> 
>>  1. Re: Correct way to use booleans (Daniel J Walsh)
>>  2. RE: Correct way to use booleans (Jayson Hurst)
>>  3. Re: Correct way to use booleans (Daniel J Walsh)
>>  4. RE: Correct way to use booleans (Jayson Hurst)
>>  5. Re: Correct way to use booleans (Daniel J Walsh)
>>  6. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>>  7. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>>  8. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>>  9. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>> 10. Re: semanage error when upgrading to RHEL 6.5 (Daniel J Walsh)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Thu, 20 Feb 2014 08:03:44 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Jayson Hurst <swazup@xxxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: Correct way to use booleans
>> Message-ID: <5305FD30.1050504@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>> Audit2Allow is suggesting that a boolean be turned on.
>>> 
>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>> 
>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>> 
>>> setsebool -P allow_ypbind 1
>>> 
>>> Should this boolean be enabled via my domains policy, or is this something
>>> the system administrator should turn on if they know they will be using
>>> NIS?
>>> 
>> Only the system admin should turn this on in an NIS environment.  This is an
>> incredibly permissive boolean.  Allows all processes to use any network port.
>> 
>>> The same question can be asked for other things like http and samba. #!!!!
>>> This avc can be allowed using one of the these booleans: #
>>> samba_export_all_ro, samba_export_all_rw
>>> 
>>> allow smbd_t tmp_t:file getattr;
>> There really should not be tmp_t files on a system.  Any idea how this file
>> got created?  smbd_t in permissive mode?
>> 
>>> #!!!! This avc can be allowed using one of the these booleans: #
>>> samba_create_home_dirs, samba_export_all_rw
>>> 
>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>> 
>>> setsebool -P samba_export_all_rw 1
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>> If a user is exporting the home dirs it would be better to use
>> samba_enable_home_dirs
>> 
>> But if he is sharing the entire system then use samba_export_all_rw
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP
>> bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI
>> =Wvgh
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Thu, 20 Feb 2014 09:30:40 -0700
>> From: Jayson Hurst <swazup@xxxxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx"	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: RE: Correct way to use booleans
>> Message-ID: <BLU172-W115B3FEB4027CC4152DD06D59A0@xxxxxxx>
>> Content-Type: text/plain; charset="iso-8859-1"
>> 
>> So it sounds like booleans are meant to be set by the admin if they need that sort of thing on.  In the case of samba if the admin wanted to share out user directories they would need to turn on a boolean that would allow them to do so like samba_enable_home_dirs.
>> 
>> I see a few different files in /tmp that are labelled as tmp_t, but the ones I care about are the krb5cc_X files.  If I use kinit to generate the krb5cc file it is labelled as user_tmp_t but if I login through ssh,local_login, gdm, etc... they get created as tmp_t.  Seeing that my daemon is responsible for kerberos login I can only guess that it is generating them incorrectly.  In my SELinux module should I have a transition for files created in tmp to have them created as user_tmp_t or is there a better way?
>> 
>>> Date: Thu, 20 Feb 2014 08:03:44 -0500
>>> From: dwalsh@xxxxxxxxxx
>>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> Subject: Re: Correct way to use booleans
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>>> Audit2Allow is suggesting that a boolean be turned on.
>>>> 
>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>>> 
>>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>>> 
>>>> setsebool -P allow_ypbind 1
>>>> 
>>>> Should this boolean be enabled via my domains policy, or is this something
>>>> the system administrator should turn on if they know they will be using
>>>> NIS?
>>>> 
>>> Only the system admin should turn this on in an NIS environment.  This is an
>>> incredibly permissive boolean.  Allows all processes to use any network port.
>>> 
>>>> The same question can be asked for other things like http and samba. #!!!!
>>>> This avc can be allowed using one of the these booleans: #
>>>> samba_export_all_ro, samba_export_all_rw
>>>> 
>>>> allow smbd_t tmp_t:file getattr;
>>> There really should not be tmp_t files on a system.  Any idea how this file
>>> got created?  smbd_t in permissive mode?
>>> 
>>>> #!!!! This avc can be allowed using one of the these booleans: #
>>>> samba_create_home_dirs, samba_export_all_rw
>>>> 
>>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>>> 
>>>> setsebool -P samba_export_all_rw 1
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>> If a user is exporting the home dirs it would be better to use
>>> samba_enable_home_dirs
>>> 
>>> But if he is sharing the entire system then use samba_export_all_rw
>>> 
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMF/TAACgkQrlYvE4MpobMN+gCg08PlPOaB43Nz9roPpjJ2y4vP
>>> bDwAnRm8tguT3laMqY1sz3T0eaKUzcnI
>>> =Wvgh
>>> -----END PGP SIGNATURE-----
>> 		 	   		  
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140220/10b0d7d4/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Thu, 20 Feb 2014 12:48:53 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Jayson Hurst <swazup@xxxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: Correct way to use booleans
>> Message-ID: <53064005.8030104@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/20/2014 11:30 AM, Jayson Hurst wrote:
>>> So it sounds like booleans are meant to be set by the admin if they need
>>> that sort of thing on.  In the case of samba if the admin wanted to share
>>> out user directories they would need to turn on a boolean that would allow
>>> them to do so like samba_enable_home_dirs.
>>> 
>>> I see a few different files in /tmp that are labelled as tmp_t, but the
>>> ones I care about are the krb5cc_X files.  If I use kinit to generate the
>>> krb5cc file it is labelled as user_tmp_t but if I login through
>>> ssh,local_login, gdm, etc... they get created as tmp_t.  Seeing that my
>>> daemon is responsible for kerberos login I can only guess that it is
>>> generating them incorrectly.  In my SELinux module should I have a
>>> transition for files created in tmp to have them created as user_tmp_t or
>>> is there a better way?
>>> 
>> Well are you in permissive mode?  Are you using standard Fedora packages or
>> something different?  Login/sshd should be creating these files as user_tmp_t.
>> 
>> 
>>>> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To:
>>>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct
>>>> way to use booleans
>>>> 
>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>>> Audit2Allow is suggesting that a boolean be turned on.
>>> 
>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>> 
>>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>> 
>>>> setsebool -P allow_ypbind 1
>>> 
>>>> Should this boolean be enabled via my domains policy, or is this
>>>> something the system administrator should turn on if they know they will
>>>> be using NIS?
>>> 
>>> Only the system admin should turn this on in an NIS environment. This is
>>> an incredibly permissive boolean. Allows all processes to use any network
>>> port.
>>> 
>>>> The same question can be asked for other things like http and samba.
>>>> #!!!! This avc can be allowed using one of the these booleans: # 
>>>> samba_export_all_ro, samba_export_all_rw
>>> 
>>>> allow smbd_t tmp_t:file getattr;
>>> There really should not be tmp_t files on a system. Any idea how this file 
>>> got created? smbd_t in permissive mode?
>>> 
>>>> #!!!! This avc can be allowed using one of the these booleans: # 
>>>> samba_create_home_dirs, samba_export_all_rw
>>> 
>>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>> 
>>>> setsebool -P samba_export_all_rw 1
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>>> If a user is exporting the home dirs it would be better to use 
>>> samba_enable_home_dirs
>>> 
>>> But if he is sharing the entire system then use samba_export_all_rw
>>> 
>>> 
>>> 
>>> 
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
>> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
>> =jZN7
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> Message: 4
>> Date: Thu, 20 Feb 2014 11:41:54 -0700
>> From: Jayson Hurst <swazup@xxxxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx"	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: RE: Correct way to use booleans
>> Message-ID: <BLU172-W90D379149DB09E4F50F05D59A0@xxxxxxx>
>> Content-Type: text/plain; charset="iso-8859-1"
>> 
>> I am running in permissive mode, my module is in permissive mode.
>> 
>> I am actually running on RHEL 6.0.
>> 
>> So in this scenario even though my daemon is authenticating the user it is not responsible for context that the krb5cc_xxx file gets created as?
>> 
>>> Date: Thu, 20 Feb 2014 12:48:53 -0500
>>> From: dwalsh@xxxxxxxxxx
>>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> Subject: Re: Correct way to use booleans
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/20/2014 11:30 AM, Jayson Hurst wrote:
>>>> So it sounds like booleans are meant to be set by the admin if they need
>>>> that sort of thing on.  In the case of samba if the admin wanted to share
>>>> out user directories they would need to turn on a boolean that would allow
>>>> them to do so like samba_enable_home_dirs.
>>>> 
>>>> I see a few different files in /tmp that are labelled as tmp_t, but the
>>>> ones I care about are the krb5cc_X files.  If I use kinit to generate the
>>>> krb5cc file it is labelled as user_tmp_t but if I login through
>>>> ssh,local_login, gdm, etc... they get created as tmp_t.  Seeing that my
>>>> daemon is responsible for kerberos login I can only guess that it is
>>>> generating them incorrectly.  In my SELinux module should I have a
>>>> transition for files created in tmp to have them created as user_tmp_t or
>>>> is there a better way?
>>>> 
>>> Well are you in permissive mode?  Are you using standard Fedora packages or
>>> something different?  Login/sshd should be creating these files as user_tmp_t.
>>> 
>>> 
>>>>> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To:
>>>>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: Correct
>>>>> way to use booleans
>>>>> 
>>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>>>> Audit2Allow is suggesting that a boolean be turned on.
>>>> 
>>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>>> 
>>>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>>> 
>>>>> setsebool -P allow_ypbind 1
>>>> 
>>>>> Should this boolean be enabled via my domains policy, or is this
>>>>> something the system administrator should turn on if they know they will
>>>>> be using NIS?
>>>> 
>>>> Only the system admin should turn this on in an NIS environment. This is
>>>> an incredibly permissive boolean. Allows all processes to use any network
>>>> port.
>>>> 
>>>>> The same question can be asked for other things like http and samba.
>>>>> #!!!! This avc can be allowed using one of the these booleans: # 
>>>>> samba_export_all_ro, samba_export_all_rw
>>>> 
>>>>> allow smbd_t tmp_t:file getattr;
>>>> There really should not be tmp_t files on a system. Any idea how this file 
>>>> got created? smbd_t in permissive mode?
>>>> 
>>>>> #!!!! This avc can be allowed using one of the these booleans: # 
>>>>> samba_create_home_dirs, samba_export_all_rw
>>>> 
>>>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>>> 
>>>>> setsebool -P samba_export_all_rw 1
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>>> If a user is exporting the home dirs it would be better to use 
>>>> samba_enable_home_dirs
>>>> 
>>>> But if he is sharing the entire system then use samba_export_all_rw
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
>>> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
>>> =jZN7
>>> -----END PGP SIGNATURE-----
>> 		 	   		  
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140220/903fdbd0/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 5
>> Date: Thu, 20 Feb 2014 14:21:55 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Jayson Hurst <swazup@xxxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: Correct way to use booleans
>> Message-ID: <530655D3.1060606@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/20/2014 01:41 PM, Jayson Hurst wrote:
>>> I am running in permissive mode, my module is in permissive mode.
>>> 
>>> I am actually running on RHEL 6.0.
>>> 
>>> So in this scenario even though my daemon is authenticating the user it is
>>> not responsible for context that the krb5cc_xxx file gets created as?
>>> 
>> 
>> The login daemons should be creating this file with the correct context.
>> user_tmp_t.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si
>> cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI
>> =2zvU
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> Message: 6
>> Date: Thu, 20 Feb 2014 15:38:00 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Andy Ruch <adruch2002@xxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID: <530667A8.7090201@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>> Hello,
>>> 
>>> I have a policy that was originally written for RHEL 6.2. I’m now trying
>>> to upgrade to RHEL 6.5 and I’m having problems with semanage. I can install
>>> a fresh RHEL 6.5 system with the targeted policy and everything works fine.
>>> I then uninstall the targeted policy and install my policy and I can’t link
>>> the linux user and selinux user.
>>> 
>>>>> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023 testuser_u 
>>>>> useradd -G wheel testuser semanage login -a -r s0-s0:c0.c1023 -s
>>>>> testuser_u testuser
>>> libsemanage.dbase_llist_query: could not query record value 
>>> /usr/sbin/semanage: Could not query user for testuser
>>> 
>>> 
>>> I have the RHEL 6.5 source code for libsemanage and the targeted policy but
>>> so far I haven't been able to find differences that would affect this
>>> problem. Could someone please point me in the right direction as far as
>>> what semanage is expecting?  What would prevent libsemanage from querying
>>> for the user?
>>> 
>>> Thanks, Andy
>>> 
>>> 
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>> What does semanage login -l and semanage user -l show?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o
>> =iiCj
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> Message: 7
>> Date: Thu, 20 Feb 2014 12:46:36 -0800 (PST)
>> From: Andy Ruch <adruch2002@xxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID:
>> 	<1392929196.64207.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> Content-Type: text/plain; charset=utf-8
>> 
>> 
>> 
>> 
>> 
>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> 
>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>> Hello,
>>>> 
>>>> I have a policy that was originally written for RHEL 6.2. I’m now trying
>>>> to upgrade to RHEL 6.5 and I’m having problems with semanage. I can install
>>>> a fresh RHEL 6.5 system with the targeted policy and everything works fine.
>>>> I then uninstall the targeted policy and install my policy and I can’t link
>>>> the linux user and selinux user.
>>>> 
>>>>>> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023 testuser_u 
>>>>>> useradd -G wheel testuser semanage login -a -r s0-s0:c0.c1023 -s
>>>>>> testuser_u testuser
>>>> libsemanage.dbase_llist_query: could not query record value 
>>>> /usr/sbin/semanage: Could not query user for testuser
>>>> 
>>>> 
>>>> I have the RHEL 6.5 source code for libsemanage and the targeted policy but
>>>> so far I haven't been able to find differences that would affect this
>>>> problem. Could someone please point me in the right direction as far as
>>>> what semanage is expecting?  What would prevent libsemanage from querying
>>>> for the user?
>>>> 
>>>> Thanks, Andy
>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>> What does semanage login -l and semanage user -l show?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o
>>> =iiCj
>>> -----END PGP SIGNATURE-----
>>> 
>> 
>> semanage user -l shows:
>> 
>> 
>>                Labeling   MLS/       MLS/                          
>> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
>> 
>> root            user       s0         s0-s0:c0.c1023                 system_r
>> system_u        user       s0         s0-s0:c0.c1023                 system_r
>> testuser_u      user       s0         s0-s0:c0.c1023                 staff_r sysadm_r
>> user_u          user       s0         s0                             user_r
>> 
>> 
>> 
>> semanage login -l shows:
>> 
>> 
>> Login Name                SELinux User              MLS/MCS Range            
>> 
>> root                      root                      s0-s0:c0.c1023           
>> system_u                  system_u                  s0-s0:c0.c1023           
>> 
>> 
>> ------------------------------
>> 
>> Message: 8
>> Date: Thu, 20 Feb 2014 16:36:23 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Andy Ruch <adruch2002@xxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID: <53067557.5050108@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>> 
>>> 
>>> 
>>> 
>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx>
>>> wrote:
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> 
>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>> Hello,
>>>>> 
>>>>> I have a policy that was originally written for RHEL 6.2. I’m now
>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with semanage. I
>>>>> can install a fresh RHEL 6.5 system with the targeted policy and
>>>>> everything works fine. I then uninstall the targeted policy and install
>>>>> my policy and I can’t link the linux user and selinux user.
>>>>> 
>>>>>>> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023
>>>>>>> testuser_u useradd -G wheel testuser semanage login -a -r
>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>> libsemanage.dbase_llist_query: could not query record value 
>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>> 
>>>>> 
>>>>> I have the RHEL 6.5 source code for libsemanage and the targeted policy
>>>>> but so far I haven't been able to find differences that would affect
>>>>> this problem. Could someone please point me in the right direction as
>>>>> far as what semanage is expecting?  What would prevent libsemanage from
>>>>> querying for the user?
>>>>> 
>>>>> Thanks, Andy
>>>>> 
>>>>> 
>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>> What does semanage login -l and semanage user -l show? -----BEGIN PGP
>>>> SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>> http://www.enigmail.net/
>>>> 
>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX 
>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP SIGNATURE-----
>>>> 
>>> 
>>> semanage user -l shows:
>>> 
>>> 
>>> Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  MCS Range
>>> SELinux Roles
>>> 
>>> root            user       s0         s0-s0:c0.c1023
>>> system_r system_u        user       s0         s0-s0:c0.c1023
>>> system_r testuser_u      user       s0         s0-s0:c0.c1023
>>> staff_r sysadm_r user_u          user       s0         s0
>>> user_r
>>> 
>>> 
>>> 
>>> semanage login -l shows:
>>> 
>>> 
>>> Login Name                SELinux User              MLS/MCS Range
>>> 
>>> 
>>> root                      root                      s0-s0:c0.c1023
>>> system_u                  system_u                  s0-s0:c0.c1023
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
>>> 
>> And the testuser exists in /etc/passwd?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a
>> =TUJs
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> Message: 9
>> Date: Thu, 20 Feb 2014 13:44:30 -0800 (PST)
>> From: Andy Ruch <adruch2002@xxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID:
>> 	<1392932670.69206.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> Content-Type: text/plain; charset=utf-8
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh 
>>> <dwalsh@xxxxxxxxxx>
>>>> wrote:
>>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> 
>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>> Hello,
>>>>>> 
>>>>>> I have a policy that was originally written for RHEL 6.2. I’m now
>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with 
>>> semanage. I
>>>>>> can install a fresh RHEL 6.5 system with the targeted policy and
>>>>>> everything works fine. I then uninstall the targeted policy and 
>>> install
>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>> 
>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023
>>>>>>>> testuser_u useradd -G wheel testuser semanage login -a -r
>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>> libsemanage.dbase_llist_query: could not query record value 
>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>> 
>>>>>> 
>>>>>> I have the RHEL 6.5 source code for libsemanage and the targeted 
>>> policy
>>>>>> but so far I haven't been able to find differences that would 
>>> affect
>>>>>> this problem. Could someone please point me in the right direction 
>>> as
>>>>>> far as what semanage is expecting?  What would prevent libsemanage 
>>> from
>>>>>> querying for the user?
>>>>>> 
>>>>>> Thanks, Andy
>>>>>> 
>>>>>> 
>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> 
>>>>> What does semanage login -l and semanage user -l show? -----BEGIN PGP
>>>>> SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird 
>>> -
>>>>> http://www.enigmail.net/
>>>>> 
>>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX 
>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP SIGNATURE-----
>>>>> 
>>>> 
>>>> semanage user -l shows:
>>>> 
>>>> 
>>>> Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  MCS Range
>>>> SELinux Roles
>>>> 
>>>> root            user       s0         s0-s0:c0.c1023
>>>> system_r system_u        user       s0         s0-s0:c0.c1023
>>>> system_r testuser_u      user       s0         s0-s0:c0.c1023
>>>> staff_r sysadm_r user_u          user       s0         s0
>>>> user_r
>>>> 
>>>> 
>>>> 
>>>> semanage login -l shows:
>>>> 
>>>> 
>>>> Login Name                SELinux User              MLS/MCS Range
>>>> 
>>>> 
>>>> root                      root                      s0-s0:c0.c1023
>>>>  system_u                  system_u                  s0-s0:c0.c1023
>>>>  -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>>> 
>>> And the testuser exists in /etc/passwd?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a
>>> =TUJs
>>> 
>>> -----END PGP SIGNATURE-----
>>> 
>> 
>> 
>> Yes. The commands "semanage user -a" and "useradd" appear to work fine. It's the "semanage login -a" that has trouble.
>> 
>> 
>> ------------------------------
>> 
>> Message: 10
>> Date: Thu, 20 Feb 2014 17:23:49 -0500
>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>> To: Andy Ruch <adruch2002@xxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID: <53068075.6080400@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>> <dwalsh@xxxxxxxxxx> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>> <dwalsh@xxxxxxxxxx>
>>>>> wrote:
>>>>> 
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>> 
>>>>>> 
>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> I have a policy that was originally written for RHEL 6.2. I’m now 
>>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with
>>>> semanage. I
>>>>>>> can install a fresh RHEL 6.5 system with the targeted policy and 
>>>>>>> everything works fine. I then uninstall the targeted policy and
>>>> install
>>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>>> 
>>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023 
>>>>>>>>> testuser_u useradd -G wheel testuser semanage login -a -r 
>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>> libsemanage.dbase_llist_query: could not query record value 
>>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>>> 
>>>>>>> 
>>>>>>> I have the RHEL 6.5 source code for libsemanage and the targeted
>>>> policy
>>>>>>> but so far I haven't been able to find differences that would
>>>> affect
>>>>>>> this problem. Could someone please point me in the right direction
>>>>>>> 
>>>> as
>>>>>>> far as what semanage is expecting?  What would prevent libsemanage
>>>>>>> 
>>>> from
>>>>>>> querying for the user?
>>>>>>> 
>>>>>>> Thanks, Andy
>>>>>>> 
>>>>>>> 
>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>> 
>>>>>> What does semanage login -l and semanage user -l show? -----BEGIN
>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>>> Thunderbird
>>>> -
>>>>>> http://www.enigmail.net/
>>>>>> 
>>>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX 
>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP SIGNATURE-----
>>>>>> 
>>>>> 
>>>>> semanage user -l shows:
>>>>> 
>>>>> 
>>>>> Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  MCS
>>>>> Range SELinux Roles
>>>>> 
>>>>> root            user       s0         s0-s0:c0.c1023 system_r system_u
>>>>> user       s0         s0-s0:c0.c1023 system_r testuser_u      user
>>>>> s0         s0-s0:c0.c1023 staff_r sysadm_r user_u          user
>>>>> s0         s0 user_r
>>>>> 
>>>>> 
>>>>> 
>>>>> semanage login -l shows:
>>>>> 
>>>>> 
>>>>> Login Name                SELinux User              MLS/MCS Range
>>>>> 
>>>>> 
>>>>> root                      root                      s0-s0:c0.c1023 
>>>>> system_u                  system_u                  s0-s0:c0.c1023 --
>>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>>> 
>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE----- 
>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>> http://www.enigmail.net/
>>>> 
>>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai 
>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>> 
>>>> -----END PGP SIGNATURE-----
>>>> 
>>> 
>>> 
>>> Yes. The commands "semanage user -a" and "useradd" appear to work fine.
>>> It's the "semanage login -a" that has trouble.
>>> 
>> And this is with the stock policycoreutils or a rebuilt one?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>> =gXXZ
>> -----END PGP SIGNATURE-----
>> 
>> 
>> ------------------------------
>> 
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> End of selinux Digest, Vol 120, Issue 14
>> ****************************************
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 22 Feb 2014 16:14:00 +0100
> From: Lucrecia Trippel <antracit2009@xxxxxxxxx>
> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: selinux Digest, Vol 120, Issue 15
> Message-ID: <C1512601-4049-4500-A409-1A9DED280B20@xxxxxxxxx>
> Content-Type: text/plain; charset=utf-8
> 
> 
> Am 21.02.2014 um 10:32 schrieb selinux-request@xxxxxxxxxxxxxxxxxxxxxxx:
> 
>> Send selinux mailing list submissions to
>> 	selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
>> or, via email, send a message with subject or body 'help' to
>> 	selinux-request@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> You can reach the person managing the list at
>> 	selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of selinux digest..."
>> 
>> 
>> Today's Topics:
>> 
>>  1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>>  2. RE: Correct way to use booleans (Jayson Hurst)
>>  3. Re: semanage error when upgrading to RHEL 6.5 (Miroslav Grepl)
>>  4. Re: Correct way to use booleans (Miroslav Grepl)
>>  5. Re: how to change the context of running process (Miroslav Grepl)
>>  6. Re: How to properly setup my domains security contexts in the
>>     domain.fc file? (Miroslav Grepl)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Thu, 20 Feb 2014 14:30:06 -0800 (PST)
>> From: Andy Ruch <adruch2002@xxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID:
>> 	<1392935406.63212.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> Content-Type: text/plain; charset=utf-8
>> 
>> 
>> 
>> 
>> 
>> 
>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>> <dwalsh@xxxxxxxxxx> wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>> 
>>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>> <dwalsh@xxxxxxxxxx>
>>>>>> wrote:
>>>>>> 
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>> 
>>>>>>> 
>>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> I have a policy that was originally written for RHEL 6.2. 
>>> I’m now 
>>>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with
>>>>> semanage. I
>>>>>>>> can install a fresh RHEL 6.5 system with the targeted 
>>> policy and 
>>>>>>>> everything works fine. I then uninstall the targeted policy 
>>> and
>>>>> install
>>>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>>>> 
>>>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r 
>>> s0-s0:c0.c1023 
>>>>>>>>>> testuser_u useradd -G wheel testuser semanage login 
>>> -a -r 
>>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>> libsemanage.dbase_llist_query: could not query record value 
>>> 
>>>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>>>> 
>>>>>>>> 
>>>>>>>> I have the RHEL 6.5 source code for libsemanage and the 
>>> targeted
>>>>> policy
>>>>>>>> but so far I haven't been able to find differences that 
>>> would
>>>>> affect
>>>>>>>> this problem. Could someone please point me in the right 
>>> direction
>>>>>>>> 
>>>>> as
>>>>>>>> far as what semanage is expecting?  What would prevent 
>>> libsemanage
>>>>>>>> 
>>>>> from
>>>>>>>> querying for the user?
>>>>>>>> 
>>>>>>>> Thanks, Andy
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>> 
>>>>>>> What does semanage login -l and semanage user -l show? 
>>> -----BEGIN
>>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>>>> Thunderbird
>>>>> -
>>>>>>> http://www.enigmail.net/
>>>>>>> 
>>>>>>> 
>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX 
>>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP 
>>> SIGNATURE-----
>>>>>>> 
>>>>>> 
>>>>>> semanage user -l shows:
>>>>>> 
>>>>>> 
>>>>>> Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level  
>>> MCS
>>>>>> Range SELinux Roles
>>>>>> 
>>>>>> root            user       s0         s0-s0:c0.c1023 system_r 
>>> system_u
>>>>>> user       s0         s0-s0:c0.c1023 system_r testuser_u      user
>>>>>> s0         s0-s0:c0.c1023 staff_r sysadm_r user_u          user
>>>>>> s0         s0 user_r
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> semanage login -l shows:
>>>>>> 
>>>>>> 
>>>>>> Login Name                SELinux User              MLS/MCS Range
>>>>>> 
>>>>>> 
>>>>>> root                      root                      s0-s0:c0.c1023 
>>>>>> system_u                  system_u                  s0-s0:c0.c1023 
>>> --
>>>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> 
>>>>>> 
>>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE----- 
>>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>> http://www.enigmail.net/
>>>>> 
>>>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai 
>>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>> 
>>>>> -----END PGP SIGNATURE-----
>>>>> 
>>>> 
>>>> 
>>>> Yes. The commands "semanage user -a" and "useradd" 
>>> appear to work fine.
>>>> It's the "semanage login -a" that has trouble.
>>>> 
>>> And this is with the stock policycoreutils or a rebuilt one?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>> =gXXZ
>>> 
>>> -----END PGP SIGNATURE-----
>>> 
>> 
>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs.
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Thu, 20 Feb 2014 16:54:18 -0700
>> From: Jayson Hurst <swazup@xxxxxxxxxxx>
>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx"	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: RE: Correct way to use booleans
>> Message-ID: <BLU172-W3728825C096AEDF18A065DD59A0@xxxxxxx>
>> Content-Type: text/plain; charset="iso-8859-1"
>> 
>> I see the same thing on RHEL 6.5.
>> 
>> So should I assume this is a bug in SElinux/OS?  Even so is there a way that I can work around it?  Would there be anything wrong with transitioning files I create in tmp from tmp_t to user_tmp_t?
>> 
>>> Date: Thu, 20 Feb 2014 14:21:55 -0500
>>> From: dwalsh@xxxxxxxxxx
>>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> Subject: Re: Correct way to use booleans
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/20/2014 01:41 PM, Jayson Hurst wrote:
>>>> I am running in permissive mode, my module is in permissive mode.
>>>> 
>>>> I am actually running on RHEL 6.0.
>>>> 
>>>> So in this scenario even though my daemon is authenticating the user it is
>>>> not responsible for context that the krb5cc_xxx file gets created as?
>>>> 
>>> 
>>> The login daemons should be creating this file with the correct context.
>>> user_tmp_t.
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si
>>> cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI
>>> =2zvU
>>> -----END PGP SIGNATURE-----
>> 		 	   		  
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140220/6a78244c/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Fri, 21 Feb 2014 09:54:52 +0100
>> From: Miroslav Grepl <mgrepl@xxxxxxxxxx>
>> To: Andy Ruch <adruch2002@xxxxxxxxx>
>> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>,	Fedora SELinux
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: semanage error when upgrading to RHEL 6.5
>> Message-ID: <5307145C.40903@xxxxxxxxxx>
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>> 
>> On 02/20/2014 11:30 PM, Andy Ruch wrote:
>>> 
>>> 
>>> 
>>> 
>>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>>> <dwalsh@xxxxxxxxxx> wrote:
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>> 
>>>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>>> <dwalsh@xxxxxxxxxx>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA1
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> I have a policy that was originally written for RHEL 6.2.
>>>> I’m now
>>>>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with
>>>>>> semanage. I
>>>>>>>>> can install a fresh RHEL 6.5 system with the targeted
>>>> policy and
>>>>>>>>> everything works fine. I then uninstall the targeted policy
>>>> and
>>>>>> install
>>>>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>>>>> 
>>>>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r
>>>> s0-s0:c0.c1023
>>>>>>>>>>> testuser_u useradd -G wheel testuser semanage login
>>>> -a -r
>>>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>>> libsemanage.dbase_llist_query: could not query record value
>>>>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> I have the RHEL 6.5 source code for libsemanage and the
>>>> targeted
>>>>>> policy
>>>>>>>>> but so far I haven't been able to find differences that
>>>> would
>>>>>> affect
>>>>>>>>> this problem. Could someone please point me in the right
>>>> direction
>>>>>> as
>>>>>>>>> far as what semanage is expecting?  What would prevent
>>>> libsemanage
>>>>>> from
>>>>>>>>> querying for the user?
>>>>>>>>> 
>>>>>>>>> Thanks, Andy
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>> 
>>>>>>>> What does semanage login -l and semanage user -l show?
>>>> -----BEGIN
>>>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>>>>> Thunderbird
>>>>>> -
>>>>>>>> http://www.enigmail.net/
>>>>>>>> 
>>>>>>>> 
>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>>>> SIGNATURE-----
>>>>>>> semanage user -l shows:
>>>>>>> 
>>>>>>> 
>>>>>>> Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level
>>>> MCS
>>>>>>> Range SELinux Roles
>>>>>>> 
>>>>>>> root            user       s0         s0-s0:c0.c1023 system_r
>>>> system_u
>>>>>>> user       s0         s0-s0:c0.c1023 system_r testuser_u      user
>>>>>>> s0         s0-s0:c0.c1023 staff_r sysadm_r user_u          user
>>>>>>> s0         s0 user_r
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> semanage login -l shows:
>>>>>>> 
>>>>>>> 
>>>>>>> Login Name                SELinux User              MLS/MCS Range
>>>>>>> 
>>>>>>> 
>>>>>>> root                      root                      s0-s0:c0.c1023
>>>>>>> system_u                  system_u                  s0-s0:c0.c1023
>>>> --
>>>>>>> selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>> 
>>>>>>> 
>>>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>>> http://www.enigmail.net/
>>>>>> 
>>>>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>>> 
>>>>>> -----END PGP SIGNATURE-----
>>>>>> 
>>>>> 
>>>>> Yes. The commands "semanage user -a" and "useradd"
>>>> appear to work fine.
>>>>> It's the "semanage login -a" that has trouble.
>>>>> 
>>>> And this is with the stock policycoreutils or a rebuilt one?
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>> 
>>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>>> =gXXZ
>>>> 
>>>> -----END PGP SIGNATURE-----
>>>> 
>>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs.
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Probably not related but could you test it in permissive?
>> 
>> Also any chance to strace it and send us your output?
>> 
>> Regards,
>> Miroslav
>> 
>> 
>> ------------------------------
>> 
>> Message: 4
>> Date: Fri, 21 Feb 2014 10:10:18 +0100
>> From: Miroslav Grepl <mgrepl@xxxxxxxxxx>
>> To: Jayson Hurst <swazup@xxxxxxxxxxx>
>> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: Correct way to use booleans
>> Message-ID: <530717FA.9030002@xxxxxxxxxx>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>> 
>> On 02/20/2014 07:41 PM, Jayson Hurst wrote:
>>> I am running in permissive mode, my module is in permissive mode.
>>> 
>>> I am actually running on RHEL 6.0.
>>> 
>>> So in this scenario even though my daemon is authenticating the user 
>>> it is not responsible for context that the krb5cc_xxx file gets 
>>> created as?
>> 
>> What daemon?
>> 
>> How does your local policy look?
>>> 
>>>> Date: Thu, 20 Feb 2014 12:48:53 -0500
>>>> From: dwalsh@xxxxxxxxxx
>>>> To: swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Subject: Re: Correct way to use booleans
>>>> 
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> On 02/20/2014 11:30 AM, Jayson Hurst wrote:
>>>>> So it sounds like booleans are meant to be set by the admin if 
>>> they need
>>>>> that sort of thing on. In the case of samba if the admin wanted to 
>>> share
>>>>> out user directories they would need to turn on a boolean that 
>>> would allow
>>>>> them to do so like samba_enable_home_dirs.
>>>>> 
>>>>> I see a few different files in /tmp that are labelled as tmp_t, 
>>> but the
>>>>> ones I care about are the krb5cc_X files. If I use kinit to 
>>> generate the
>>>>> krb5cc file it is labelled as user_tmp_t but if I login through
>>>>> ssh,local_login, gdm, etc... they get created as tmp_t. Seeing that my
>>>>> daemon is responsible for kerberos login I can only guess that it is
>>>>> generating them incorrectly. In my SELinux module should I have a
>>>>> transition for files created in tmp to have them created as 
>>> user_tmp_t or
>>>>> is there a better way?
>>>>> 
>>>> Well are you in permissive mode? Are you using standard Fedora 
>>> packages or
>>>> something different? Login/sshd should be creating these files as 
>>> user_tmp_t.
>>>> 
>>>> 
>>>>>> Date: Thu, 20 Feb 2014 08:03:44 -0500 From: dwalsh@xxxxxxxxxx To:
>>>>>> swazup@xxxxxxxxxxx; selinux@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: 
>>> Correct
>>>>>> way to use booleans
>>>>>> 
>>>>> On 02/19/2014 08:20 PM, Jayson Hurst wrote:
>>>>>> Audit2Allow is suggesting that a boolean be turned on.
>>>>> 
>>>>>> #!!!! This avc can be allowed using the boolean 'allow_ypbind'
>>>>> 
>>>>>> allow vasd_t ldap_port_t:tcp_socket name_bind;
>>>>> 
>>>>>> setsebool -P allow_ypbind 1
>>>>> 
>>>>>> Should this boolean be enabled via my domains policy, or is this
>>>>>> something the system administrator should turn on if they know 
>>> they will
>>>>>> be using NIS?
>>>>> 
>>>>> Only the system admin should turn this on in an NIS environment. 
>>> This is
>>>>> an incredibly permissive boolean. Allows all processes to use any 
>>> network
>>>>> port.
>>>>> 
>>>>>> The same question can be asked for other things like http and samba.
>>>>>> #!!!! This avc can be allowed using one of the these booleans: #
>>>>>> samba_export_all_ro, samba_export_all_rw
>>>>> 
>>>>>> allow smbd_t tmp_t:file getattr;
>>>>> There really should not be tmp_t files on a system. Any idea how 
>>> this file
>>>>> got created? smbd_t in permissive mode?
>>>>> 
>>>>>> #!!!! This avc can be allowed using one of the these booleans: #
>>>>>> samba_create_home_dirs, samba_export_all_rw
>>>>> 
>>>>>> allow smbd_t user_home_dir_t:dir { write create add_name };
>>>>> 
>>>>>> setsebool -P samba_export_all_rw 1
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>>> If a user is exporting the home dirs it would be better to use
>>>>> samba_enable_home_dirs
>>>>> 
>>>>> But if he is sharing the entire system then use samba_export_all_rw
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>> 
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>> 
>>>> iEYEARECAAYFAlMGQAUACgkQrlYvE4MpobMiuwCePDvZd/9kwNGYDfsjoZHgi1F/
>>>> pHoAn05t4SFE75eS8GEDKBWuuRLG5BWf
>>>> =jZN7
>>>> -----END PGP SIGNATURE-----
>>> 
>>> 
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/2d89bb83/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 5
>> Date: Fri, 21 Feb 2014 10:26:19 +0100
>> From: Miroslav Grepl <mgrepl@xxxxxxxxxx>
>> To: bigclouds <bigclouds@xxxxxxx>
>> Cc: "selinux@xxxxxxxxxxxxxxxxxxxxxxx"
>> 	<selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: how to change the context of running process
>> Message-ID: <53071BBB.5080905@xxxxxxxxxx>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>> 
>> On 02/10/2014 02:38 AM, bigclouds wrote:
>>> hi,all
>>> 1.
>>> how to change the context of running process.
>>> 2.
>>> in my case, libvirtd is initrc_t, how to find  where and which 
>>> file defines this rule?
>>> libvirtd should be virtd_t, i want to correct it.
>>> 3.audot2allow outputs a rule ,'allow initrc_t svirt_t:process transition'
>>> is there a comamnd line tool can finish this request? not to install 
>>> .pp module?
>>> thanks
>>> 
>>> 
>> It looks you have mislabeling issue on libvirtd binary.  If you execute
>> 
>> $ ls -Z /usr/sbin/libvirtd | awk '{ print $4 }'
>> 
>> $ matchpathcon /usr/sbin/libvirtd | awk '{ print $2 }'
>> 
>> you probably will get different values. If so you will need to fix 
>> labeling (SELinux is a labeling system) using
>> 
>> # restorecon -R -v /usr/sbin/libvirtd
>> 
>> and restart libvirtd service.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/3e4eed37/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> Message: 6
>> Date: Fri, 21 Feb 2014 10:32:35 +0100
>> From: Miroslav Grepl <mgrepl@xxxxxxxxxx>
>> To: Jayson Hurst <swazup@xxxxxxxxxxx>
>> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>,
>> 	"selinux@xxxxxxxxxxxxxxxxxxxxxxx" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>> Subject: Re: How to properly setup my domains security contexts in the
>> 	domain.fc file?
>> Message-ID: <53071D33.8030905@xxxxxxxxxx>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>> 
>> On 02/14/2014 04:50 PM, Jayson Hurst wrote:
>>> If the context for /var/opt/quest/vas/vasd(/.*)? all files 
>>> system_u:object_r:vasd_var_auth_t:s0
>>> 
>>> Is already in place before the product is installed via rpm, should 
>>> rpm correctly label the dir/files as they are laid down?
>> The point is the directory needs to be a part of rpm payload.
>> 
>> # rpm -qf /var/opt/quest/vas/vas
>> 
>> Otherwise you need to run restorecon to fix labeling.
>> 
>>> 
>>> Sent from my Windows Phone
>>> ------------------------------------------------------------------------
>>> From: Daniel J Walsh <mailto:dwalsh@xxxxxxxxxx>
>>> Sent: ‎2/‎14/‎2014 6:52 AM
>>> To: Jayson Hurst <mailto:swazup@xxxxxxxxxxx>; 
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>> Subject: Re: How to properly setup my domains security contexts in the 
>>> domain.fc file?
>>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On 02/14/2014 01:23 AM, Jayson Hurst wrote:
>>>> The policy was in play before installing the product, also why 
>>> doesn't the
>>>> pid file get labeled correctly?
>>> Pid files are created by the app, and the app does not look at the file
>>> context.  file_context is just there to tell SELinux aware apps how to 
>>> label
>>> content.  (restorecon,rpm)  If non SELinux aware apps create content 
>>> then you
>>> need file transition rules.
>>>> 
>>>> Sent from my Windows Phone
>>>> 
>>> --------------------------------------------------------------------------------
>>>> 
>>>> 
>>> From: Daniel J Walsh <mailto:dwalsh@xxxxxxxxxx>
>>>> Sent: ‎2/‎13/‎2014 6:58 PM To: Jayson Hurst <mailto:swazup@xxxxxxxxxxx>;
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> <mailto:selinux@xxxxxxxxxxxxxxxxxxxxxxx>
>>>> Subject: Re: How to properly setup my domains security contexts in the
>>>> domain.fc file?
>>>> 
>>>> On 02/13/2014 08:30 PM, Jayson Hurst wrote:
>>>>> I have a file context installed as follows:
>>>>> 
>>>>> # semanage fcontext -l | grep vasd
>>>>> 
>>>>> /etc/rc.d/init.d/vasd regular file
>>>>> system_u:object_r:vasd_initrc_exec_t:s0 /opt/quest/sbin/vasd regular
>>>>> file system_u:object_r:vasd_exec_t:s0 /var/opt/quest(/.*)? all files
>>>>> system_u:object_r:vasd_var_t:s0 /var/opt/quest/vas/vasd(/.*)? all 
>>> files
>>>>> system_u:object_r:vasd_var_auth_t:s0 /var/opt/quest/vas/vasd/.vasd.pid
>>>>> regular file system_u:object_r:vasd_var_run_t:s0
>>>>> 
>>>>> After a fresh install I see the following:
>>>>> 
>>>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. root root
>>>>> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root root
>>>>> unconfined_u:object_r:vasd_var_t:s0 .. -rw-r--r--. root root
>>>>> unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb -rw-r--r--. root 
>>> root
>>>>> unconfined_u:object_r:vasd_var_t:s0 vas_misc.vdb
>>>>> 
>>>>> 
>>>>> Why are the files being created under /var/opt/quest/vas/vasd not 
>>> being
>>>>> labelled correctly as qasd_var_auth_t as the fcontext states? Is the
>>>>> software installer supposed to force a relabel on a post-install?
>>>>> 
>>>>> After a restart of the daemon I do not see the pid file being labelled
>>>>> correctly:
>>>>> 
>>>>> # /etc/init.d/vasd restart Stopping vasd: vasd does not appear to be
>>>>> running. Starting vasd:                                             [
>>>>> OK ]
>>>>> 
>>>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon
>>>>> unconfined_u:object_r:vasd_var_t:s0 . drwxr-xr-x. root   root
>>>>> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon
>>>>> unconfined_u:object_r:vasd_var_t:s0 .vasd_19574 srwxrwxrwx. daemon
>>>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19575 srwxrwxrwx. 
>>> daemon
>>>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd_19576 srwxrwxrwx. 
>>> daemon
>>>>> daemon unconfined_u:object_r:vasd_var_t:s0 .vasd40_ipc_sock -rw-r--r--.
>>>>> daemon daemon unconfined_u:object_r:vasd_var_t:s0 .vasd.pid -rw-r--r--.
>>>>> daemon daemon unconfined_u:object_r:vasd_var_t:s0 vas_ident.vdb
>>>>> -rw-r--r--. daemon daemon unconfined_u:object_r:vasd_var_t:s0
>>>>> vas_misc.vdb
>>>>> 
>>>>> After forcing a relabel:
>>>>> 
>>>>> # restorecon -F -R /var/opt/quest/vas/vasd/
>>>>> 
>>>>> # ls -laZ /var/opt/quest/vas/vasd/ drwxr-xr-x. daemon daemon
>>>>> system_u:object_r:vasd_var_auth_t:s0 . drwxr-xr-x. root   root
>>>>> unconfined_u:object_r:vasd_var_t:s0 .. srwxrwxrwx. daemon daemon
>>>>> system_u:object_r:vasd_var_auth_t:s0 .vasd_19574 srwxrwxrwx. daemon
>>>>> daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19575 srwxrwxrwx.
>>>>> daemon daemon system_u:object_r:vasd_var_auth_t:s0 .vasd_19576
>>>>> srwxrwxrwx. daemon daemon system_u:object_r:vasd_var_auth_t:s0
>>>>> .vasd40_ipc_sock -rw-r--r--. daemon daemon
>>>>> system_u:object_r:vasd_var_auth_t:s0 .vasd.pid -rw-r--r--. daemon 
>>> daemon
>>>>> system_u:object_r:vasd_var_auth_t:s0 vas_ident.vdb -rw-r--r--. daemon
>>>>> daemon system_u:object_r:vasd_var_auth_t:s0 vas_misc.vdb
>>>>> 
>>>>> I get the files and directory labelled correctly, but not the pid file.
>>>>> I can set a pid transition in the policy but then what is the point of
>>>>> setting a file context in the <domain>.fc for the pid file if it never
>>>>> gets picked up? Apparently I am missing something important here.
>>>>> 
>>>>> Does anyone know a place for good documentation on this subject?
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> 
>>>> If RPM puts the files on disk and then installs your policy in post
>>>> install, it will not fix the labels.
>>>> 
>>>> You could create an vasd-selinux.rpm and require this to be installed
>>>> before the vasd.rpm is installed.  In that case the rpm should do 
>>> the right
>>>> thing, at least on Fedora/RHEL7.  Not sure about RHEL6.
>>>> 
>>>> Otherwise you can just run restorecon in the post install.
>>> 
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>> iEYEARECAAYFAlL+H6YACgkQrlYvE4MpobOO0QCdGcCRlnqq7Awd6NhbBUBUVAXQ
>>> 2cEAnjuKTxPbeMJb6WJRtXPwgwUJRMIc
>>> =IrPG
>>> -----END PGP SIGNATURE-----
>>> 
>>> 
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140221/4d76268d/attachment.html>
>> 
>> ------------------------------
>> 
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> End of selinux Digest, Vol 120, Issue 15
>> ****************************************
> 
> 
> 
> ------------------------------
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> End of selinux Digest, Vol 120, Issue 17
> ****************************************

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux