-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Nall wrote:
>
> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>
>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>> I need to add login mappings in python firstboot modules during system
>>> configuration. In my first module a simple:
>>>
>>> seobject.loginRecords().add(username, "siterep_u",
>>> "SystemLow-SystemHigh")
>>>
>>> works. In subsequent modules, I get an exception:
>>>
>>> libsemanage.enter_rw: this operation requires a transaction
>>> libsemanage.enter_rw: could not enter read-write section
>>> Traceback (most recent call last):
>>> File "./t", line 6, in <module>
>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>> raise error
>>> ValueError: Could not add login mapping for test3
>>>
>>> What is the right way to do this?
>>>
>>> joe
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>> Probably an MLS issue. firtstboot is running in a context that is not
>> allowed to lock/manage selinux.
>
> I'm installing in permissive and switching to enforcing after firstboot.
> You are correct that firstboot_t doesn't have the policy for all the
> stuff I'm trying to do yet.
>
>> You probably should exec semanage rather then calling seobject so you
>> could do a transition and not have to give a huge app like first boot
>> the ability to manage security policy.
>
> That is what is installing right now. I would still like an
> explanation/code snippet of correct usage for future use
>
> joe
>
>
This works on F10 Targeted policy
# python -c "import seobject; seobject.loginRecords().add("pwalsh",
"staff_u", "s0")
# python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
Could it be a translation problem?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm4I80ACgkQrlYvE4MpobPITACgj0orf8wCagcwCJS0oPLnnlqP
oPQAoJfLLAn5mTAQ2uem/RFhZj4M3qqW
=rYfA
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
