On 10/14/2016 09:54 PM, James Carter wrote:
> On 10/14/2016 03:26 PM, Dominick Grift wrote:
>> On 10/14/2016 09:17 PM, Dominick Grift wrote:
>>> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>>>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>>>> context_from_record() in sepol would report an error because an
>>>>>>>> MLS level was present when MLS is disabled. Based on a patch
>>>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>>>> temporary working policy, not the active policy.
>>>>>>>>
>>>>>>>> Reported-by: Jason Zaman <jason@xxxxxxxxxxxxx> Signed-off-by:
>>>>>>>> Stephen Smalley <sds@xxxxxxxxxxxxx> ---
>>>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>>>> insertions(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>> - if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) <
>>>>>>>> 0 || + if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) < 0) { + goto fail; + } +
>>>>>>>> + if
>>>>>>>> (sepol_policydb_mls_enabled(s->policydb) &&
>>>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>
>>>>>>> I could not get this to work:
>>>>>>>
>>>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>>>> over records (No such file or directory) semodule: failed!
>>>>>>>
>>>>>>
>>>>>> for reference:
>>>>>>
>>>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>>>
>>>>> Not sure about that, but with this patch, I could successfully do the
>>>>> following:
>>>>> $ cd refpolicy
>>>>> $ make conf
>>>>> $ make
>>>>> $ sudo make install
>>>>> $ sudo make load
>>>>>
>>>>> And genhomedircon ran without complaint, and I have the expected
>>>>> entries in file_contexts.homedirs.
>>>>> That's with the standard policy.
>>>>>
>>>>
>>>> Ok thats good enough for me. I admit i just upgraded my systems, and
>>>> made major changes to my policy so it may just be me.
>>>>
>>>>
>>>
>>> I might just be wrong though but i think it has to do with how cil
>>> allows you deal with seusers in policy (defaultselinuxuser and
>>> selinuxuser)
>>>
>>> I think that is where it conflicts. basically i suspect that it hasnt
>>> dealt with generating the seusers file yet. and so it looks there and
>>> sees a range in a non mcs policy.
>>>
>>> So i suspect that this is an issue, its just not a noticable with
>>> refpolicy becuase refpolicy copies its own seusers file
>>>
>>
>> I think the CIL people might be able to shed some light on this so CCing
>> jwcart2
>>
>> In particular how "selinuxuser and defaultselinuxuser" could affect or
>> be affected by this patch
>>
>
> They won't be effected. cil_selinuxusers_to_string() will only print the
> mls parts if a MLS policy is specified.
And the other way around? Could the patch above cause things to break
because the seusers arent updated yet?
e.g. switching on the fly from an mls policy to a standard policy.
the seusers need to be processed. could it be that this patch makes it
fail because the seusers havent been processed yet
as you can see here:
libsemanage.validate_handler: seuser mapping [kcinimod ->
(wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
directory). libsemanage.dbase_llist_iterate: could not iterate
over records (No such file or directory) semodule: failed!
it is refereing to my seuser mapping. That mapping is from the initial
mls policy. So it hasnt been processed yet, because if it was then it
would not have mentioned the s0-s0:c0.c1023
> Jim
>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to
>> Selinux-request@xxxxxxxxxxxxx.
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
