Send selinux mailing list submissions to
selinux(a)lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
selinux-request(a)lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Feb 2014 07:06:26 -0800 (PST)
From: Andy Ruch <adruch2002(a)yahoo.com>
To: Miroslav Grepl <mgrepl(a)redhat.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>, Fedora SELinux
<selinux(a)lists.fedoraproject.org>
Subject: Re: semanage error when upgrading to RHEL 6.5
Message-ID:
<1392995186.92907.YahooMailNeo(a)web124901.mail.ne1.yahoo.com>
Content-Type: text/plain; charset=utf-8
> On Friday, February 21, 2014 1:55 AM, Miroslav Grepl <mgrepl(a)redhat.com>
wrote:
>> On 02/20/2014 11:30 PM, Andy Ruch wrote:
>>
>>
>>
>>
>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh
> <dwalsh(a)redhat.com> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>> <dwalsh(a)redhat.com> wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>> <dwalsh(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>>
>>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have a policy that was originally written for
> RHEL 6.2.
>>> I’m now
>>>>>>>> trying to upgrade to RHEL 6.5 and I’m having
> problems with
>>>>> semanage. I
>>>>>>>> can install a fresh RHEL 6.5 system with the
> targeted
>>> policy and
>>>>>>>> everything works fine. I then uninstall the
> targeted policy
>>> and
>>>>> install
>>>>>>>> my policy and I can’t link the linux user and
> selinux user.
>>>>>>>>
>>>>>>>>>> semanage user –a -R sysadm_r -R staff_r
> -r
>>> s0-s0:c0.c1023
>>>>>>>>>> testuser_u useradd -G wheel testuser
> semanage login
>>> -a -r
>>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>> libsemanage.dbase_llist_query: could not query
> record value
>>>>>>>> /usr/sbin/semanage: Could not query user for
> testuser
>>>>>>>>
>>>>>>>>
>>>>>>>> I have the RHEL 6.5 source code for libsemanage
> and the
>>> targeted
>>>>> policy
>>>>>>>> but so far I haven't been able to find
> differences that
>>> would
>>>>> affect
>>>>>>>> this problem. Could someone please point me in
> the right
>>> direction
>>>>> as
>>>>>>>> far as what semanage is expecting? What would
> prevent
>>> libsemanage
>>>>> from
>>>>>>>> querying for the user?
>>>>>>>>
>>>>>>>> Thanks, Andy
>>>>>>>>
>>>>>>>>
>>>>>>>> -- selinux mailing list
> selinux(a)lists.fedoraproject.org
>>>>>>>>
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>
>>>>>>> What does semanage login -l and semanage user -l
> show?
>>> -----BEGIN
>>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using
> GnuPG with
>>>>>>> Thunderbird
>>>>> -
>>>>>>>
http://www.enigmail.net/
>>>>>>>
>>>>>>>
>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>>> SIGNATURE-----
>>>>>> semanage user -l shows:
>>>>>>
>>>>>>
>>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS
> Level
>>> MCS
>>>>>> Range SELinux Roles
>>>>>>
>>>>>> root user s0 s0-s0:c0.c1023
> system_r
>>> system_u
>>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u
> user
>>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u
> user
>>>>>> s0 s0 user_r
>>>>>>
>>>>>>
>>>>>>
>>>>>> semanage login -l shows:
>>>>>>
>>>>>>
>>>>>> Login Name SELinux User
> MLS/MCS Range
>>>>>>
>>>>>>
>>>>>> root root
> s0-s0:c0.c1023
>>>>>> system_u system_u
> s0-s0:c0.c1023
>>> --
>>>>>> selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP
> SIGNATURE-----
>>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>>
http://www.enigmail.net/
>>>>>
>>>>>
> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>>
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>
>>>> Yes. The commands "semanage user -a" and
> "useradd"
>>> appear to work fine.
>>>> It's the "semanage login -a" that has trouble.
>>>>
>>> And this is with the stock policycoreutils or a rebuilt one?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>>
>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>> =gXXZ
>>>
>>> -----END PGP SIGNATURE-----
>>>
>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy
> and selinux-policy-targeted RPMs and add my policy RPMs.
>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> Probably not related but could you test it in permissive?
>
> Also any chance to strace it and send us your output?
>
> Regards,
> Miroslav
>
Sorry. I should have specified that earlier. This has all been in permissive.
I will work on getting an strace.
------------------------------
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
End of selinux Digest, Vol 120, Issue 16
****************************************