Re: semanage error when upgrading to RHEL 6.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/01/2014 08:27 PM, Andy Ruch wrote:



  I was able to identify the problem.  The short answer is my “seusers”
  file didn’t
  have a “__default__” entry. This caused “selinux.getseuserbyname()” in
  seobject.py to return the name of the linux user instead of an
  existing selinux
  user. This linux user name was never able to match an existing seuser
  record
  and caused “libsemanage.dbase_llist_query” to fail. Below is a python
  command that highlights the issue. Just
  switch between a user that does exist and one that doesn’t to see the
  difference.

  python -c ‘import selinux;rec,oldsename,oldserange =
  selinux.getseuserbyname(“testuser”);print
  oldsename;’


  I now have a solution that allows me to move forward,
  however I would consider this a bug that could be fixed. Maybe add a
  check for
  users that don’t exist or make the “__default__” entry mandatory.

I believe your issue is different than #875169 bug. If I understand
correctly, you fail on

# semanage login -a -s foo_u foo
libsemanage.dbase_llist_query: could not query record value
ValueError: Could not query user for foo_u

which looks correct for me. Not sure where you see a bug in this case.

The #875169 bug is about the user/group check which we have in seobject.py.
  Dan/Miroslav -- Bugzilla Bug 875169 was reopened in relation
  to this issue. It’s private so I don’t have any access to add a
comment.
  Let me re-check it. Thank you.
  --
  selinux mailing list
  selinux@xxxxxxxxxxxxxxxxxxxxxxx
  https://admin.fedoraproject.org/mailman/listinfo/selinux

As you've described the bug, I would say that is what I'm seeing. This all stems from not having a "__default__" entry in seusers. This caused the old seuser check in seobject.py to not find a valid seuser and default to the provided linux user ('foo' in your example). Then I was getting the "libsemanage.dbase_llist_query" error because 'foo' really couldn't be found, which is correct. So I think the error really exists in seobject.py in the fact it's trying to use 'foo' as 'oldsename'.
I have been playing more with this issue. And I believe we want to have something like

# semanage login -a -r s0-s0:c0.c1023 -s testuser_u testuser
/usr/sbin/semanage: There is no "__default__" entry defined in seusers config file.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux