Hello, When using semanage from policycoreutils 2.6 I get the following error every time I update something (modifying a boolean, adding a user login...): # semanage boolean --modify --on global_ssp libsepol.context_from_record: MLS is disabled, but MLS context "s0" found libsepol.context_from_record: could not create context structure (Invalid argument). In the code is quite clear on the reason of this warning [1]: I have some policy files which define file contexts with MLS context s0 even though I am using a non-MLS policy. At first I thought it was an issue in the way refpolicy is being build (the policy I am using comes from refpolicy), but the hll files in /var/lib/selinux do not define s0 in the file contexts (I verified this using "bzcat < hll |cat -v", which showed the fc definitions). Then I ran the hll/pp program on hll and saw that the CIL filecon statements use "(systemlow systemlow)", and that the base module contains: (sensitivity s0) (sensitivityorder (s0)) (level systemlow (s0)) (mls false) I also found a comment in module_to_cil.c describing why this is necessary: "CIL requires that all contexts have a range" [2]. In short, context_from_record() does not like when a file context defines a sensitivity level in a non-MLS policy and the current pp-to-cil compiler generates file contexts with sensitivity levels, in a non-MLS policy. Is this a bug in libsepol or something I misconfigured on my system? Thanks, Nicolas [1] https://github.com/SELinuxProject/selinux/blob/libsepol-2.6/libsepol/src/context.c#L196 [2] https://github.com/SELinuxProject/selinux/blob/libsepol-2.6/libsepol/src/module_to_cil.c#L3969 _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
