On 10/14/2016 03:26 PM, Dominick Grift wrote:
On 10/14/2016 09:17 PM, Dominick Grift wrote:
On 10/14/2016 09:09 PM, Dominick Grift wrote:
On 10/14/2016 09:08 PM, Stephen Smalley wrote:
On 10/14/2016 02:58 PM, Dominick Grift wrote:
On 10/14/2016 08:52 PM, Dominick Grift wrote:
On 10/14/2016 07:40 PM, Stephen Smalley wrote:
When a non-MLS policy was used with genhomedircon
context_from_record() in sepol would report an error because an
MLS level was present when MLS is disabled. Based on a patch
by Gary Tierney, amended to use sepol_policydb_mls_enabled
rather than semanage_mls_enabled because we are testing the
temporary working policy, not the active policy.
Reported-by: Jason Zaman <jason@xxxxxxxxxxxxx> Signed-off-by:
Stephen Smalley <sds@xxxxxxxxxxxxx> ---
libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
insertions(+), 1 deletion(-)
diff --git a/libsemanage/src/genhomedircon.c
b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
100644 --- a/libsemanage/src/genhomedircon.c +++
b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
fail; }
- if (sepol_context_set_user(sepolh, context, user->sename) <
0 || + if (sepol_context_set_user(sepolh, context,
user->sename) < 0) { + goto fail; + } + + if
(sepol_policydb_mls_enabled(s->policydb) &&
sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
fail; }
I could not get this to work:
libsemanage.validate_handler: seuser mapping [kcinimod ->
(wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
directory). libsemanage.dbase_llist_iterate: could not iterate
over records (No such file or directory) semodule: failed!
for reference:
https://www.youtube.com/watch?v=yUAikbw5BSQ
Not sure about that, but with this patch, I could successfully do the
following:
$ cd refpolicy
$ make conf
$ make
$ sudo make install
$ sudo make load
And genhomedircon ran without complaint, and I have the expected
entries in file_contexts.homedirs.
That's with the standard policy.
Ok thats good enough for me. I admit i just upgraded my systems, and
made major changes to my policy so it may just be me.
I might just be wrong though but i think it has to do with how cil
allows you deal with seusers in policy (defaultselinuxuser and selinuxuser)
I think that is where it conflicts. basically i suspect that it hasnt
dealt with generating the seusers file yet. and so it looks there and
sees a range in a non mcs policy.
So i suspect that this is an issue, its just not a noticable with
refpolicy becuase refpolicy copies its own seusers file
I think the CIL people might be able to shed some light on this so CCing
jwcart2
In particular how "selinuxuser and defaultselinuxuser" could affect or
be affected by this patch
They won't be effected. cil_selinuxusers_to_string() will only print the mls
parts if a MLS policy is specified.
Jim
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
