On Fri, 2008-07-25 at 10:30 -0400, Karl MacMillan wrote: > > -----Original Message----- > > From: Chris PeBenito [mailto:pebenito@xxxxxxxxxx] > > Sent: Thursday, July 24, 2008 8:07 PM > > To: Vikram Ambrose > > Cc: selinux@xxxxxxxxxxxxx; Karl MacMillan > > Subject: Re: libsepol.context_from_record: MLS is disabled, but MLS > > context"s0" found > > > > On Thu, 2008-07-24 at 16:34 -0400, Vikram Ambrose wrote: > > > I keep getting this error with audit2why. > > > > > > root@localhost:/root> cat msg > > > type=1400 audit(1216736766.147:35): avc: denied { read write } > > for > > > pid=1829 comm="modprobe" name="console" dev=sda ino=344069 > > > scontext=system_u:system_r:insmod_t > > > tcontext=unconfined_u:object_r:default_t tclass=chr_file > > > > > > root@localhost:/root> audit2allow < msg #============= insmod_t > > > ============== allow insmod_t default_t:chr_file { read write }; > > > > > > root@localhost:/root> audit2why < msg > > > libsepol.context_from_record: MLS is disabled, but MLS context "s0" > > > found > > > libsepol.context_from_record: could not create context structure > > > libsepol.context_from_string: could not create context structure > > > libsepol.sepol_context_to_sid: could not convert > > > system_u:system_r:insmod_t:s0 to sid Invalid Source Context > > > system_u:system_r:insmod_t:s0 > > > > I ran into this last week. Sepolgen incorrectly adds the MLS portion > > of the context regardless if MLS is enabled or not. Then when the > > tool uses the context, libsepol throws the above errors when MLS is > > disabled. > > I haven't had a chance to really look at what would be the right way > > to fix it, since I'm no python expert. Karl? > > > > Maybe I'm missing something, but from above this looks like an audit2why > bug not an sepolgen bug. Perhaps. I didn't have a change to analyze the problem fully, so I don't know if sepolgen is supposed to be informed if this is an MLS policy or not, or if sepolgen itself is supposed to figure it out. In the end the offending function is in the SecurityContext class in sepolgen: def to_string(self, default_level="s0"): fields = [self.user, self.role, self.type] if self.level == "": if default_level != "": fields.append(default_level) else: fields.append(self.level) return ":".join(fields) -- Chris PeBenito <pebenito@xxxxxxxxxx> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
