semanage error when upgrading to RHEL 6.5

Miroslav Grepl mgrepl at redhat.com
Fri Feb 21 08:54:52 UTC 2014 

On 02/20/2014 11:30 PM, Andy Ruch wrote:
>
>
>
>
>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>
>>>
>>>
>>>
>>>>   On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>   <dwalsh at redhat.com> wrote:
>>>>>   -----BEGIN PGP SIGNED MESSAGE-----
>>>>   Hash: SHA1
>>>>
>>>>   On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>
>>>>>
>>>>>
>>>>>   On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>   <dwalsh at redhat.com>
>>>>>   wrote:
>>>>>
>>>>>   -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>   Hash: SHA1
>>>>>>
>>>>>>
>>>>>>   On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>   Hello,
>>>>>>>
>>>>>>>   I have a policy that was originally written for RHEL 6.2.
>> I’m now
>>>>>>>   trying to upgrade to RHEL 6.5 and I’m having problems with
>>>>   semanage. I
>>>>>>>   can install a fresh RHEL 6.5 system with the targeted
>> policy and
>>>>>>>   everything works fine. I then uninstall the targeted policy
>> and
>>>>   install
>>>>>>>   my policy and I can’t link the linux user and selinux user.
>>>>>>>
>>>>>>>>>   semanage user –a -R sysadm_r -R staff_r -r
>> s0-s0:c0.c1023
>>>>>>>>>   testuser_u useradd -G wheel testuser semanage login
>> -a -r
>>>>>>>>>   s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>   libsemanage.dbase_llist_query: could not query record value
>>>>>>>   /usr/sbin/semanage: Could not query user for testuser
>>>>>>>
>>>>>>>
>>>>>>>   I have the RHEL 6.5 source code for libsemanage and the
>> targeted
>>>>   policy
>>>>>>>   but so far I haven't been able to find differences that
>> would
>>>>   affect
>>>>>>>   this problem. Could someone please point me in the right
>> direction
>>>>   as
>>>>>>>   far as what semanage is expecting?  What would prevent
>> libsemanage
>>>>   from
>>>>>>>   querying for the user?
>>>>>>>
>>>>>>>   Thanks, Andy
>>>>>>>
>>>>>>>
>>>>>>>   -- selinux mailing list selinux at lists.fedoraproject.org
>>>>>>>   https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>   What does semanage login -l and semanage user -l show?
>> -----BEGIN
>>>>>>   PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>>>   Thunderbird
>>>>   -
>>>>>>   http://www.enigmail.net/
>>>>>>
>>>>>>
>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>   OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>> SIGNATURE-----
>>>>>   semanage user -l shows:
>>>>>
>>>>>
>>>>>   Labeling   MLS/       MLS/ SELinux User    Prefix     MCS Level
>> MCS
>>>>>   Range SELinux Roles
>>>>>
>>>>>   root            user       s0         s0-s0:c0.c1023 system_r
>> system_u
>>>>>   user       s0         s0-s0:c0.c1023 system_r testuser_u      user
>>>>>   s0         s0-s0:c0.c1023 staff_r sysadm_r user_u          user
>>>>>   s0         s0 user_r
>>>>>
>>>>>
>>>>>
>>>>>   semanage login -l shows:
>>>>>
>>>>>
>>>>>   Login Name                SELinux User              MLS/MCS Range
>>>>>
>>>>>
>>>>>   root                      root                      s0-s0:c0.c1023
>>>>>   system_u                  system_u                  s0-s0:c0.c1023
>> --
>>>>>   selinux mailing list selinux at lists.fedoraproject.org
>>>>>   https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>>   And the testuser exists in /etc/passwd? -----BEGIN PGP SIGNATURE-----
>>>>   Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>   http://www.enigmail.net/
>>>>
>>>>   iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>   DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>
>>>>   -----END PGP SIGNATURE-----
>>>>
>>>
>>>   Yes. The commands "semanage user -a" and "useradd"
>> appear to work fine.
>>>   It's the "semanage login -a" that has trouble.
>>>
>> And this is with the stock policycoreutils or a rebuilt one?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>> =gXXZ
>>
>> -----END PGP SIGNATURE-----
>>
> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and selinux-policy-targeted RPMs and add my policy RPMs.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably not related but could you test it in permissive?

Also any chance to strace it and send us your output?

Regards,
Miroslav

More information about the selinux mailing list