On 03/11/2009 05:00 PM, Stephen Smalley wrote:
On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Nall wrote:
On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
On 03/11/2009 12:15 PM, Joe Nall wrote:
I need to add login mappings in python firstboot modules during system
configuration. In my first module a simple:
seobject.loginRecords().add(username, "siterep_u",
"SystemLow-SystemHigh")
works. In subsequent modules, I get an exception:
libsemanage.enter_rw: this operation requires a transaction
libsemanage.enter_rw: could not enter read-write section
Traceback (most recent call last):
File "./t", line 6, in<module>
seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
raise error
ValueError: Could not add login mapping for test3
What is the right way to do this?
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
with
the words "unsubscribe selinux" without quotes as the message.
Probably an MLS issue. firtstboot is running in a context that is not
allowed to lock/manage selinux.
I'm installing in permissive and switching to enforcing after firstboot.
You are correct that firstboot_t doesn't have the policy for all the
stuff I'm trying to do yet.
You probably should exec semanage rather then calling seobject so you
could do a transition and not have to give a huge app like first boot
the ability to manage security policy.
That is what is installing right now. I would still like an
explanation/code snippet of correct usage for future use
joe
This works on F10 Targeted policy
# python -c "import seobject; seobject.loginRecords().add("pwalsh",
"staff_u", "s0")
# python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
Could it be a translation problem?
Try running multiple calls within the same python interpreter.
I think seobject.py isn't using libsemanage correctly. For example, in
add(), you do:
self.begin()
self.__add(name, sename, serange)
self.commit()
but begin() only ever invokes semanage_begin_transaction() the very
first time:
def begin(self):
if self.transaction:
return
rc = semanage_begin_transaction(self.sh)
So after the first commit(), you'll start failing.
I think this patch fixes the transaction patch in semanage.
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/semanage/semanage 2009-03-12 09:22:45.000000000 -0400
@@ -464,10 +464,10 @@
else:
fd = open(input, 'r')
trans = seobject.semanageRecords(store)
- trans.begin()
+ trans.start()
for l in fd.readlines():
process_args(mkargv(l))
- trans.commit()
+ trans.finish()
else:
process_args(sys.argv[1:])
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500
+++ policycoreutils-2.0.62/semanage/seobject.py 2009-03-12 09:25:27.000000000 -0400
@@ -281,15 +281,20 @@
global handle
if handle != None:
- self.transaction = True
self.sh = handle
else:
self.sh=get_handle(store)
- self.transaction = False
+ self.transaction = False
def deleteall(self):
raise ValueError(_("Not yet implemented"))
+ def start(self):
+ if self.transaction:
+ raise ValueError(_("Semanage transaction already in progress"))
+ self.begin()
+ self.transaction = True
+
def begin(self):
if self.transaction:
return
@@ -303,6 +308,12 @@
if rc < 0:
raise ValueError(_("Could not commit semanage transaction"))
+ def finish(self):
+ if not self.transaction:
+ raise ValueError(_("Semanage transaction not in progress"))
+ self.transaction = False
+ self.commit()
+
class permissiveRecords(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
