Hi,
On Fri, Feb 3, 2017 at 8:21 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2017-02-03 at 16:25 +0100, Vit Mojzis wrote:
> We do, I just tried defining new local SELinux user, assigned it to>
> On 2.2.2017 20:44, Stephen Smalley wrote:
> >
> > On Thu, 2017-02-02 at 18:22 +0100, Vit Mojzis wrote:
> > >
> > > Hi list,
> > > we have a report about a possible regression in "semanage user"
> > > and
> > > I'd
> > > like to hear your opinion on what the correct behaviour should
> > > be.
> > >
> > > Given that local changes have been made to a SELinux user
> > > definition
> > > (originally defined in policy)
> > > e.g. # semanage user -m staff_u -r "s0"
> > > and the SELinux user is mapped to some Linux user
> > > # semanage login -a -s staff_u staff
> > > both
> > > # semanage user -d staff_u
> > > and
> > > # semanage user --deleteall
> > > will fail to remove the local change with the following message:
> > > "libsemanage.lookup_seuser: staff_u is being used by staff login
> > > record
> > > (Invalid argument)."
> > >
> > > Is this the intended behaviour?
> > >
> > > I would assume that this error message was intended only for
> > > locally
> > > defined SELinux users (in which case "semanage user -d
> > > selinux_user"
> > > would remove the only definition of "selinux_user"). If so, is
> > > there
> > > any
> > > way to determine if a SELinux user has been defined only locally
> > > (as
> > > opposed to being defined in policy) after some local changes have
> > > been made?
> > Looks like this change came in via commit
> > 56d9d20a647a52146494f0aef4494cafe328dc5d from Dan Walsh (in 2013).
> > I agree it doesn't make sense for policy-defined users. Offhand, I
> > don't see a clean interface for doing what you want; I'm wondering
> > if
> > we truly need this check at all.
> Linux user and then removed it (after removing the check). You can
> actually even log in to the account with invalid SELinux user, but
> "semanage login" and "semanage user" stop working (errors regarding
> non-existent user).
(restored list and cc)
I don't see any easy way to fix. Obviously they could remove the login
entry first and then the user, then re-add the login entry, but that's
certainly sub-optimal.
That is actually how we currently workaround this, so if semanage
could do this, it would help.
Is this truly a regression though?
That is a good question. I do not mind keeping the current
functionality, which from a point of view, makes sense. But
we should document this properly in the man page.
Best regards,
/M
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
