On Fri, 2010-01-08 at 10:34 -0500, Stephen Smalley wrote:
> On Wed, 2009-12-23 at 18:26 -0500, Caleb Case wrote:
> > We created a migration script to ease the burden of transition from the
> > old libsemanage store layout to the new. The script will detect all the
> > stores in /etc/selinux using the old layout and convert them to the new
> > layout in /var/lib/selinux. It also allows you to specify the default
> > priority to use with -p and store to operate on with -s. After migration
> > the script by default will leave the old store unchanged, but can be
> > told to remove the old modules directory with -c.
> >
> > Examples:
> >
> > # Migrate all stores to the new layout.
> > migrate.py
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
> >
> > # Migrate only the targeted store.
> > migrate.py -s targeted
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
> >
> > # Migrate all, but install to priority 150.
> > migrate.py -p 150
> >
> > Migrating from /etc/selinux/targeted/modules/active to /var/lib/selinux/targeted/active
> > Attempting to rebuild policy from /var/lib/selinux
>
> I tried the following:
> semanage login -a -s user_u pi
> cp -a /etc/selinux /etc/selinux.orig
> install new userland
> migrate.py
> diff -ru /etc/selinux.orig /etc/selinux
>
> The seusers entry for "pi" was dropped from the final seusers file in
> the rebuilt policy.
>
I saw the same thing. I added a new login, but it does not show up
after the migration with "semanage login -l" even though it is
in /var/lib/selinux/targeted/active/seusers and seusers.final.
booleans, ports, file contexts, and permissive domains all show up after
the migration, but there are some other issues.
1) For booleans I am getting this error:
# semanage boolean --on git_system_use_cifs
Traceback (most recent call last):
File "/usr/sbin/semanage", line 460, in <module>
process_args(sys.argv[1:])
File "/usr/sbin/semanage", line 407, in process_args
raise ValueError(_("Invalid command") % " ".join(argv))
TypeError: not all arguments converted during string formatting
2) Either the priority stuff doesn't work or I am doing something
wrong. Shouldn't either of the following not display any modules since
they are all at priority 100?
"semodule -p 900 -l" or "semodule -p 900; semodule -l"
Both display all modules.
3) I can't remove the permissive domain created before the migration
because the default priority level is 400, but the script put everything
at priority 100 and I don't know how to change the priority for
semanage.
# semanage permissive -d httpd_t
libsemanage.semanage_direct_remove_key: Unable to remove module
directory /var/lib/selinux/targeted/tmp/modules/400/permissive_httpd_t.
(No such file or directory).
/usr/sbin/semanage: Could not remove permissive domain httpd_t (remove
failed)
Ports and file contexts addition and removal seems to work fine.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
