Re: MLS required even when MLS is disabled?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/08/2013 08:22 AM, Sven Vermeulen wrote:
> On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote:
>> Reverted.  Pushed as policycoreutils-2.2.4. Will accept a new patch on
>> next that does it conditionally under the mls enabled case.
> 
> Another issue related to this one is that, when semanage is called, it
> sets the MLS level (s0) and range (s0) as default. This still triggers the
> MLS warning.
> 
> """ def parser_add_level(parser, name): parser.add_argument('-L',
> '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0
> Default. (MLS/MCS Systems only)')) def parser_add_range(parser, name): 
> parser.add_argument('-r', '--range', default="s0", help=_(''' """
> 
> With policycoreutils-2.2.4:
> 
> """ # semanage port -a -t ssh_port_t -p tcp 2222 
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found 
> libsepol.context_from_record: could not create context structure (Invalid
> argument). libsepol.port_from_record: could not create port structure for
> range 2222:2222 (tcp) (Invalid argument). libsepol.sepol_port_modify: could
> not load port range 2222 - 2222 (tcp) (Invalid argument). 
> libsemanage.dbase_policydb_modify: could not modify record value (Invalid
> argument). libsemanage.semanage_base_merge_components: could not merge
> local modifications into policy (Invalid argument). OSError: Invalid
> argument """
> 
> If I explicitly mark the range as empty, it works:
> 
> """ # semanage port -a -t ssh_port_t -p tcp 2222 -r "" # echo $? 0 """
> 
> Wkr, Sven Vermeulen
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes
> as the message.
> 
Can you submit a patch to seobject.py which tells it to ignore the level flags
when MLS is disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKlyusACgkQrlYvE4MpobPW4wCg0xj9AXNAh7C5tfMzF+LFoam5
9sEAoMwRIo8yFHZ899M80OKBTEEVrxLx
=fL38
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux