On Friday, February 21, 2014 1:55 AM, Miroslav Grepl
<mgrepl(a)redhat.com> wrote:
> On 02/20/2014 11:30 PM, Andy Ruch wrote:
>
>
>
>
>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>
>>>
>>>
>>>
>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>> <dwalsh(a)redhat.com> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>
>>>>>
>>>>>
>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>> <dwalsh(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>>
>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have a policy that was originally written for
RHEL 6.2.
>> I’m now
>>>>>>> trying to upgrade to RHEL 6.5 and I’m having
problems with
>>>> semanage. I
>>>>>>> can install a fresh RHEL 6.5 system with the
targeted
>> policy and
>>>>>>> everything works fine. I then uninstall the
targeted policy
>> and
>>>> install
>>>>>>> my policy and I can’t link the linux user and
selinux user.
>>>>>>>
>>>>>>>>> semanage user –a -R sysadm_r -R staff_r
-r
>> s0-s0:c0.c1023
>>>>>>>>> testuser_u useradd -G wheel testuser
semanage login
>> -a -r
>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>> libsemanage.dbase_llist_query: could not query
record value
>>>>>>> /usr/sbin/semanage: Could not query user for
testuser
>>>>>>>
>>>>>>>
>>>>>>> I have the RHEL 6.5 source code for libsemanage
and the
>> targeted
>>>> policy
>>>>>>> but so far I haven't been able to find
differences that
>> would
>>>> affect
>>>>>>> this problem. Could someone please point me in
the right
>> direction
>>>> as
>>>>>>> far as what semanage is expecting? What would
prevent
>> libsemanage
>>>> from
>>>>>>> querying for the user?
>>>>>>>
>>>>>>> Thanks, Andy
>>>>>>>
>>>>>>>
>>>>>>> -- selinux mailing list
selinux(a)lists.fedoraproject.org
>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>> What does semanage login -l and semanage user -l
show?
>> -----BEGIN
>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using
GnuPG with
>>>>>> Thunderbird
>>>> -
>>>>>>
http://www.enigmail.net/
>>>>>>
>>>>>>
>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>> SIGNATURE-----
>>>>> semanage user -l shows:
>>>>>
>>>>>
>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS
Level
>> MCS
>>>>> Range SELinux Roles
>>>>>
>>>>> root user s0 s0-s0:c0.c1023
system_r
>> system_u
>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u
user
>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u
user
>>>>> s0 s0 user_r
>>>>>
>>>>>
>>>>>
>>>>> semanage login -l shows:
>>>>>
>>>>>
>>>>> Login Name SELinux User
MLS/MCS Range
>>>>>
>>>>>
>>>>> root root
s0-s0:c0.c1023
>>>>> system_u system_u
s0-s0:c0.c1023
>> --
>>>>> selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP
SIGNATURE-----
>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>
http://www.enigmail.net/
>>>>
>>>>
iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>> Yes. The commands "semanage user -a" and
"useradd"
>> appear to work fine.
>>> It's the "semanage login -a" that has trouble.
>>>
>> And this is with the stock policycoreutils or a rebuilt one?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>
>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>> =gXXZ
>>
>> -----END PGP SIGNATURE-----
>>
> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy
and selinux-policy-targeted RPMs and add my policy RPMs.
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably not related but could you test it in permissive?
Also any chance to strace it and send us your output?
Regards,
Miroslav
Sorry. I should have specified that earlier. This has all been in permissive.
I will work on getting an strace.