On Thu, 2017-02-02 at 18:22 +0100, Vit Mojzis wrote: > Hi list, > we have a report about a possible regression in "semanage user" and > I'd > like to hear your opinion on what the correct behaviour should be. > > Given that local changes have been made to a SELinux user definition > (originally defined in policy) > e.g. # semanage user -m staff_u -r "s0" > and the SELinux user is mapped to some Linux user > # semanage login -a -s staff_u staff > both > # semanage user -d staff_u > and > # semanage user --deleteall > will fail to remove the local change with the following message: > "libsemanage.lookup_seuser: staff_u is being used by staff login > record > (Invalid argument)." > > Is this the intended behaviour? > > I would assume that this error message was intended only for locally > defined SELinux users (in which case "semanage user -d selinux_user" > would remove the only definition of "selinux_user"). If so, is there > any > way to determine if a SELinux user has been defined only locally (as > opposed to being defined in policy) after some local changes have > been made? Looks like this change came in via commit 56d9d20a647a52146494f0aef4494cafe328dc5d from Dan Walsh (in 2013). I agree it doesn't make sense for policy-defined users. Offhand, I don't see a clean interface for doing what you want; I'm wondering if we truly need this check at all. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
