Nicolas Iooss <nicolas.iooss@xxxxxxx> writes:
> Using Vagrant with fedora/28-cloud-base image, SELinux logins are
> configured this way:
>
> # semanage login -l
> Login Name SELinux User MLS/MCS Range Service
>
> __default__ unconfined_u s0-s0:c0.c1023 *
> root unconfined_u s0-s0:c0.c1023 *
> vagrant unconfined_u s0-s0:c0.c1023 *
>
> Using "chcat -l +c42 vagrant" successfully adds the category to user
> vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
> semanage login -l returns:
>
> vagrant unconfined_u s0-s0:c0.c1023,c42 *
>
> This issue is caused by expandCats(), which refuses to return a list of
> more than 25 categories. This causes chcat_user_remove() to work with
> cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
> it not been able to remove 'c42' from the list.
>
> Fix this issue by splitting the list of categories before calling
> expandCats().
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
> python/chcat/chcat | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/python/chcat/chcat b/python/chcat/chcat
> index 73f757258807..5bef0073b7a4 100755
> --- a/python/chcat/chcat
> +++ b/python/chcat/chcat
> @@ -82,8 +82,7 @@ def chcat_user_add(newcat, users):
> if len(serange) > 1:
> top = serange[1].split(":")
> if len(top) > 1:
> - cats.append(top[1])
> - cats = expandCats(cats)
> + cats = expandCats(top[1].split(','))
>
> for i in newcat[1:]:
> if i not in cats:
> @@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users):
> if len(serange) > 1:
> top = serange[1].split(":")
> if len(top) > 1:
> - cats.append(top[1])
> - cats = expandCats(cats)
> + cats = expandCats(top[1].split(','))
>
> for i in newcat[1:]:
> if i in cats:
