Re: MLS required even when MLS is disabled?

Stephen Smalley <sds@xxxxxxxxxxxxx> · Mon, 25 Nov 2013 15:21:55 -0500

On 11/25/2013 03:12 PM, Sven Vermeulen wrote:
> Hi all
> 
> I have a report that mentions that the new userspace release does not like
> non-MLS policies:
> 
> # semanage fcontext -a -t swapfile_t "/swapfile"
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory).
> libsepol.context_from_record: could not create context structure (Invalid argument).
> libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument).
> libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
> OSError: Invalid argument
> 
> # semanage login -a -s staff_u amade            
> libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory).
> libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> OSError: No such file or directory
> 
> Any idea what could be the cause of this?

Probably this one.



>From 5102ed4cb81f7eae6300c99b16541582eb7e1f8e Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 11 Oct 2013 09:10:31 -0400
Subject: [PATCH] If users of seobject set serange or seuser to "", we need to
 override.

Do not want bad data getting into the system
---
 policycoreutils/semanage/seobject.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index e7ece41..e198090 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -1788,9 +1788,15 @@ class fcontextRecords(semanageRecords):
 				       raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t))
 
 
-	def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+	def __add(self, target, type, ftype = "", serange = "s0", seuser = "system_u"):
                 self.validate(target)
 
+                if seuser == "":
+                        seuser = "system_u"
+
+                if serange == "":
+                        serange = "s0"
+
 		if is_mls_enabled == 1:
                        serange = untranslate(serange)
 			
-- 
1.8.3.1





