On 10/14/2016 02:58 PM, Dominick Grift wrote: > On 10/14/2016 08:52 PM, Dominick Grift wrote: >> On 10/14/2016 07:40 PM, Stephen Smalley wrote: >>> When a non-MLS policy was used with genhomedircon >>> context_from_record() in sepol would report an error because an >>> MLS level was present when MLS is disabled. Based on a patch >>> by Gary Tierney, amended to use sepol_policydb_mls_enabled >>> rather than semanage_mls_enabled because we are testing the >>> temporary working policy, not the active policy. >>> >>> Reported-by: Jason Zaman <jason@xxxxxxxxxxxxx> Signed-off-by: >>> Stephen Smalley <sds@xxxxxxxxxxxxx> --- >>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5 >>> insertions(+), 1 deletion(-) >>> >>> diff --git a/libsemanage/src/genhomedircon.c >>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722 >>> 100644 --- a/libsemanage/src/genhomedircon.c +++ >>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static >>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto >>> fail; } >>> >>> - if (sepol_context_set_user(sepolh, context, user->sename) < >>> 0 || + if (sepol_context_set_user(sepolh, context, >>> user->sename) < 0) { + goto fail; + } + + if >>> (sepol_policydb_mls_enabled(s->policydb) && >>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto >>> fail; } >>> >> >> I could not get this to work: >> >> libsemanage.validate_handler: seuser mapping [kcinimod -> >> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or >> directory). libsemanage.dbase_llist_iterate: could not iterate >> over records (No such file or directory) semodule: failed! >> > > for reference: > > https://www.youtube.com/watch?v=yUAikbw5BSQ Not sure about that, but with this patch, I could successfully do the following: $ cd refpolicy $ make conf $ make $ sudo make install $ sudo make load And genhomedircon ran without complaint, and I have the expected entries in file_contexts.homedirs. That's with the standard policy. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.