On 10/14/2016 08:52 PM, Dominick Grift wrote:
> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>> When a non-MLS policy was used with genhomedircon context_from_record()
>> in sepol would report an error because an MLS level was present when MLS
>> is disabled. Based on a patch by Gary Tierney, amended to use
>> sepol_policydb_mls_enabled rather than semanage_mls_enabled because
>> we are testing the temporary working policy, not the active policy.
>>
>> Reported-by: Jason Zaman <jason@xxxxxxxxxxxxx>
>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
>> ---
>> libsemanage/src/genhomedircon.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
>> index 6991fff..5e9d722 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
>> goto fail;
>> }
>>
>> - if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
>> + if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
>> + goto fail;
>> + }
>> +
>> + if (sepol_policydb_mls_enabled(s->policydb) &&
>> sepol_context_set_mls(sepolh, context, user->level) < 0) {
>> goto fail;
>> }
>>
>
> I could not get this to work:
>
> libsemanage.validate_handler: seuser mapping [kcinimod -> (wheel.id,
> s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such
> file or directory)
> semodule: failed!
>
for reference:
https://www.youtube.com/watch?v=yUAikbw5BSQ
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
