On 10/14/2016 09:17 PM, Dominick Grift wrote:
> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>> context_from_record() in sepol would report an error because an
>>>>>> MLS level was present when MLS is disabled. Based on a patch
>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>> temporary working policy, not the active policy.
>>>>>>
>>>>>> Reported-by: Jason Zaman <jason@xxxxxxxxxxxxx> Signed-off-by:
>>>>>> Stephen Smalley <sds@xxxxxxxxxxxxx> ---
>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>> insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>> fail; }
>>>>>>
>>>>>> - if (sepol_context_set_user(sepolh, context, user->sename) <
>>>>>> 0 || + if (sepol_context_set_user(sepolh, context,
>>>>>> user->sename) < 0) { + goto fail; + } + + if
>>>>>> (sepol_policydb_mls_enabled(s->policydb) &&
>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>> fail; }
>>>>>>
>>>>>
>>>>> I could not get this to work:
>>>>>
>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>> over records (No such file or directory) semodule: failed!
>>>>>
>>>>
>>>> for reference:
>>>>
>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>
>>> Not sure about that, but with this patch, I could successfully do the
>>> following:
>>> $ cd refpolicy
>>> $ make conf
>>> $ make
>>> $ sudo make install
>>> $ sudo make load
>>>
>>> And genhomedircon ran without complaint, and I have the expected
>>> entries in file_contexts.homedirs.
>>> That's with the standard policy.
>>>
>>
>> Ok thats good enough for me. I admit i just upgraded my systems, and
>> made major changes to my policy so it may just be me.
>>
>>
>
> I might just be wrong though but i think it has to do with how cil
> allows you deal with seusers in policy (defaultselinuxuser and selinuxuser)
>
> I think that is where it conflicts. basically i suspect that it hasnt
> dealt with generating the seusers file yet. and so it looks there and
> sees a range in a non mcs policy.
>
> So i suspect that this is an issue, its just not a noticable with
> refpolicy becuase refpolicy copies its own seusers file
>
I think the CIL people might be able to shed some light on this so CCing
jwcart2
In particular how "selinuxuser and defaultselinuxuser" could affect or
be affected by this patch
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
