Re: MLS is disabled, but MLS context "s0" found

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/11/16 11:41, Nicolas Iooss wrote:
> Hello,
> 
> When using semanage from policycoreutils 2.6 I get the following error
> every time I update something (modifying a boolean, adding a user login...):
> 
>   # semanage boolean --modify --on global_ssp
>   libsepol.context_from_record: MLS is disabled, but MLS context "s0"
>   found
>   libsepol.context_from_record: could not create context structure
>   (Invalid argument).
> 
> In the code is quite clear on the reason of this warning [1]: I have
> some policy files which define file contexts with MLS context s0 even
> though I am using a non-MLS policy.
> 
> At first I thought it was an issue in the way refpolicy is being build
> (the policy I am using comes from refpolicy), but the hll files in
> /var/lib/selinux do not define s0 in the file contexts (I verified this
> using "bzcat < hll |cat -v", which showed the fc definitions).
> 
> Then I ran the hll/pp program on hll and saw that the CIL filecon
> statements use "(systemlow systemlow)", and that the base module contains:
> 
>   (sensitivity s0)
>   (sensitivityorder (s0))
>   (level systemlow (s0))
>   (mls false)
> 
> I also found a comment in module_to_cil.c describing why this is
> necessary: "CIL requires that all contexts have a range" [2].
> 
> In short, context_from_record() does not like when a file context
> defines a sensitivity level in a non-MLS policy and the current
> pp-to-cil compiler generates file contexts with sensitivity levels, in a
> non-MLS policy. Is this a bug in libsepol or something I misconfigured
> on my system?

After sending this email I found commit 4cf9b9ce2df0 ("libsemanage:
genhomedircon: only set MLS level if MLS is enabled") and I took it in
the libsemanage package I use on my system. This fixed the issue I had,
and in fact I missed the genhomedircon step in my analysis.

Problem solved. Sorry for the noise!

Nicolas
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux