semanage error when upgrading to RHEL 6.5

Andy Ruch adruch2002 at yahoo.com
Fri Feb 21 15:06:26 UTC 2014 





> On Friday, February 21, 2014 1:55 AM, Miroslav Grepl <mgrepl at redhat.com> wrote:
> > On 02/20/2014 11:30 PM, Andy Ruch wrote:
>> 
>> 
>> 
>> 
>>>  On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh 
> <dwalsh at redhat.com> wrote:
>>>>  -----BEGIN PGP SIGNED MESSAGE-----
>>>  Hash: SHA1
>>> 
>>>  On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>>>    On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>>    <dwalsh at redhat.com> wrote:
>>>>>>    -----BEGIN PGP SIGNED MESSAGE-----
>>>>>    Hash: SHA1
>>>>> 
>>>>>    On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>    On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>>    <dwalsh at redhat.com>
>>>>>>    wrote:
>>>>>> 
>>>>>>    -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>    Hash: SHA1
>>>>>>> 
>>>>>>> 
>>>>>>>    On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>>    Hello,
>>>>>>>> 
>>>>>>>>    I have a policy that was originally written for 
> RHEL 6.2.
>>>  I’m now
>>>>>>>>    trying to upgrade to RHEL 6.5 and I’m having 
> problems with
>>>>>    semanage. I
>>>>>>>>    can install a fresh RHEL 6.5 system with the 
> targeted
>>>  policy and
>>>>>>>>    everything works fine. I then uninstall the 
> targeted policy
>>>  and
>>>>>    install
>>>>>>>>    my policy and I can’t link the linux user and 
> selinux user.
>>>>>>>> 
>>>>>>>>>>    semanage user –a -R sysadm_r -R staff_r 
> -r
>>>  s0-s0:c0.c1023
>>>>>>>>>>    testuser_u useradd -G wheel testuser 
> semanage login
>>>  -a -r
>>>>>>>>>>    s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>>    libsemanage.dbase_llist_query: could not query 
> record value
>>>>>>>>    /usr/sbin/semanage: Could not query user for 
> testuser
>>>>>>>> 
>>>>>>>> 
>>>>>>>>    I have the RHEL 6.5 source code for libsemanage 
> and the
>>>  targeted
>>>>>    policy
>>>>>>>>    but so far I haven't been able to find 
> differences that
>>>  would
>>>>>    affect
>>>>>>>>    this problem. Could someone please point me in 
> the right
>>>  direction
>>>>>    as
>>>>>>>>    far as what semanage is expecting?  What would 
> prevent
>>>  libsemanage
>>>>>    from
>>>>>>>>    querying for the user?
>>>>>>>> 
>>>>>>>>    Thanks, Andy
>>>>>>>> 
>>>>>>>> 
>>>>>>>>    -- selinux mailing list 
> selinux at lists.fedoraproject.org
>>>>>>>>   
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>> 
>>>>>>>    What does semanage login -l and semanage user -l 
> show?
>>>  -----BEGIN
>>>>>>>    PGP SIGNATURE----- Version: GnuPG v1 Comment: Using 
> GnuPG with
>>>>>>>    Thunderbird
>>>>>    -
>>>>>>>   http://www.enigmail.net/
>>>>>>> 
>>>>>>> 
>>>  iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>>    OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>>>  SIGNATURE-----
>>>>>>    semanage user -l shows:
>>>>>> 
>>>>>> 
>>>>>>    Labeling   MLS/       MLS/ SELinux User    Prefix     MCS 
> Level
>>>  MCS
>>>>>>    Range SELinux Roles
>>>>>> 
>>>>>>    root            user       s0         s0-s0:c0.c1023 
> system_r
>>>  system_u
>>>>>>    user       s0         s0-s0:c0.c1023 system_r testuser_u  
>     user
>>>>>>    s0         s0-s0:c0.c1023 staff_r sysadm_r user_u        
>   user
>>>>>>    s0         s0 user_r
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>    semanage login -l shows:
>>>>>> 
>>>>>> 
>>>>>>    Login Name                SELinux User              
> MLS/MCS Range
>>>>>> 
>>>>>> 
>>>>>>    root                      root                      
> s0-s0:c0.c1023
>>>>>>    system_u                  system_u                  
> s0-s0:c0.c1023
>>>  --
>>>>>>    selinux mailing list selinux at lists.fedoraproject.org
>>>>>>   https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> 
>>>>>> 
>>>>>    And the testuser exists in /etc/passwd? -----BEGIN PGP 
> SIGNATURE-----
>>>>>    Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>>   http://www.enigmail.net/
>>>>> 
>>>>>   
> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>>    DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>> 
>>>>>    -----END PGP SIGNATURE-----
>>>>> 
>>>> 
>>>>    Yes. The commands "semanage user -a" and 
> "useradd"
>>>  appear to work fine.
>>>>    It's the "semanage login -a" that has trouble.
>>>> 
>>>  And this is with the stock policycoreutils or a rebuilt one?
>>>  -----BEGIN PGP SIGNATURE-----
>>>  Version: GnuPG v1
>>>  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>> 
>>>  iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>>  i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>>  =gXXZ
>>> 
>>>  -----END PGP SIGNATURE-----
>>> 
>>  Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy 
> and selinux-policy-targeted RPMs and add my policy RPMs.
> 
>>  --
>>  selinux mailing list
>>  selinux at lists.fedoraproject.org
>>  https://admin.fedoraproject.org/mailman/listinfo/selinux
> Probably not related but could you test it in permissive?
> 
> Also any chance to strace it and send us your output?
> 
> Regards,
> Miroslav
>

Sorry. I should have specified that earlier. This has all been in permissive.

I will work on getting an strace.

More information about the selinux mailing list