On Fri, 2017-02-03 at 16:25 +0100, Vit Mojzis wrote: > > On 2.2.2017 20:44, Stephen Smalley wrote: > > > > On Thu, 2017-02-02 at 18:22 +0100, Vit Mojzis wrote: > > > > > > Hi list, > > > we have a report about a possible regression in "semanage user" > > > and > > > I'd > > > like to hear your opinion on what the correct behaviour should > > > be. > > > > > > Given that local changes have been made to a SELinux user > > > definition > > > (originally defined in policy) > > > e.g. # semanage user -m staff_u -r "s0" > > > and the SELinux user is mapped to some Linux user > > > # semanage login -a -s staff_u staff > > > both > > > # semanage user -d staff_u > > > and > > > # semanage user --deleteall > > > will fail to remove the local change with the following message: > > > "libsemanage.lookup_seuser: staff_u is being used by staff login > > > record > > > (Invalid argument)." > > > > > > Is this the intended behaviour? > > > > > > I would assume that this error message was intended only for > > > locally > > > defined SELinux users (in which case "semanage user -d > > > selinux_user" > > > would remove the only definition of "selinux_user"). If so, is > > > there > > > any > > > way to determine if a SELinux user has been defined only locally > > > (as > > > opposed to being defined in policy) after some local changes have > > > been made? > > Looks like this change came in via commit > > 56d9d20a647a52146494f0aef4494cafe328dc5d from Dan Walsh (in 2013). > > I agree it doesn't make sense for policy-defined users. Offhand, I > > don't see a clean interface for doing what you want; I'm wondering > > if > > we truly need this check at all. > We do, I just tried defining new local SELinux user, assigned it to > Linux user and then removed it (after removing the check). You can > actually even log in to the account with invalid SELinux user, but > "semanage login" and "semanage user" stop working (errors regarding > non-existent user). (restored list and cc) I don't see any easy way to fix. Obviously they could remove the login entry first and then the user, then re-add the login entry, but that's certainly sub-optimal. Is this truly a regression though? _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
