Am 22.02.2014 um 13:00 schrieb selinux-request@lists.fedoraproject.org:
Send selinux mailing list submissions to selinux@lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit https://admin.fedoraproject.org/mailman/listinfo/selinux or, via email, send a message with subject or body 'help' to selinux-request@lists.fedoraproject.org
You can reach the person managing the list at selinux-owner@lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of selinux digest..."
Today's Topics:
- Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
Message: 1 Date: Fri, 21 Feb 2014 07:06:26 -0800 (PST) From: Andy Ruch adruch2002@yahoo.com To: Miroslav Grepl mgrepl@redhat.com Cc: Daniel J Walsh dwalsh@redhat.com, Fedora SELinux selinux@lists.fedoraproject.org Subject: Re: semanage error when upgrading to RHEL 6.5 Message-ID: 1392995186.92907.YahooMailNeo@web124901.mail.ne1.yahoo.com Content-Type: text/plain; charset=utf-8
On Friday, February 21, 2014 1:55 AM, Miroslav Grepl mgrepl@redhat.com wrote:
On 02/20/2014 11:30 PM, Andy Ruch wrote:
On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh
dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2014 04:44 PM, Andy Ruch wrote:
On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh dwalsh@redhat.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/20/2014 03:46 PM, Andy Ruch wrote: > > > > On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh dwalsh@redhat.com > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 02/19/2014 11:56 AM, Andy Ruch wrote: >>> Hello, >>> >>> I have a policy that was originally written for
RHEL 6.2.
I’m now
>>> trying to upgrade to RHEL 6.5 and I’m having
problems with
semanage. I >>> can install a fresh RHEL 6.5 system with the
targeted
policy and
>>> everything works fine. I then uninstall the
targeted policy
and
install >>> my policy and I can’t link the linux user and
selinux user.
>>> >>>>> semanage user –a -R sysadm_r -R staff_r
-r
s0-s0:c0.c1023
>>>>> testuser_u useradd -G wheel testuser
semanage login
-a -r
>>>>> s0-s0:c0.c1023 -s testuser_u testuser >>> libsemanage.dbase_llist_query: could not query
record value
>>> /usr/sbin/semanage: Could not query user for
testuser
>>> >>> >>> I have the RHEL 6.5 source code for libsemanage
and the
targeted
policy >>> but so far I haven't been able to find
differences that
would
affect >>> this problem. Could someone please point me in
the right
direction
as >>> far as what semanage is expecting? What would
prevent
libsemanage
from >>> querying for the user? >>> >>> Thanks, Andy >>> >>> >>> -- selinux mailing list
selinux@lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> >> What does semanage login -l and semanage user -l
show?
-----BEGIN
>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using
GnuPG with
>> Thunderbird
>> http://www.enigmail.net/ >> >>
iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
SIGNATURE-----
> semanage user -l shows: > > > Labeling MLS/ MLS/ SELinux User Prefix MCS
Level
MCS
> Range SELinux Roles > > root user s0 s0-s0:c0.c1023
system_r
system_u
> user s0 s0-s0:c0.c1023 system_r testuser_u
user> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u
user
> s0 s0 user_r > > > > semanage login -l shows: > > > Login Name SELinux User
MLS/MCS Range
> > > root root
s0-s0:c0.c1023
> system_u system_u
s0-s0:c0.c1023
--
> selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > And the testuser exists in /etc/passwd? -----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
-----END PGP SIGNATURE-----
Yes. The commands "semanage user -a" and
"useradd"
appear to work fine.
It's the "semanage login -a" that has trouble.
And this is with the stock policycoreutils or a rebuilt one? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H =gXXZ
-----END PGP SIGNATURE-----
Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy
and selinux-policy-targeted RPMs and add my policy RPMs.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Probably not related but could you test it in permissive?
Also any chance to strace it and send us your output?
Regards, Miroslav
Sorry. I should have specified that earlier. This has all been in permissive.
I will work on getting an strace.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
End of selinux Digest, Vol 120, Issue 16
selinux@lists.fedoraproject.org
-
Lucrecia Trippel