selinux Digest, Vol 120, Issue 16
Lucrecia Trippel
antracit2009 at gmail.com
Sat Feb 22 15:14:07 UTC 2014
Am 22.02.2014 um 13:00 schrieb selinux-request at lists.fedoraproject.org:
> Send selinux mailing list submissions to
> selinux at lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request at lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner at lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 21 Feb 2014 07:06:26 -0800 (PST)
> From: Andy Ruch <adruch2002 at yahoo.com>
> To: Miroslav Grepl <mgrepl at redhat.com>
> Cc: Daniel J Walsh <dwalsh at redhat.com>, Fedora SELinux
> <selinux at lists.fedoraproject.org>
> Subject: Re: semanage error when upgrading to RHEL 6.5
> Message-ID:
> <1392995186.92907.YahooMailNeo at web124901.mail.ne1.yahoo.com>
> Content-Type: text/plain; charset=utf-8
>
>
>
>
>
>
>> On Friday, February 21, 2014 1:55 AM, Miroslav Grepl <mgrepl at redhat.com> wrote:
>>> On 02/20/2014 11:30 PM, Andy Ruch wrote:
>>>
>>>
>>>
>>>
>>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh
>> <dwalsh at redhat.com> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>>> <dwalsh at redhat.com> wrote:
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>>> <dwalsh at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA1
>>>>>>>>
>>>>>>>>
>>>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have a policy that was originally written for
>> RHEL 6.2.
>>>> I’m now
>>>>>>>>> trying to upgrade to RHEL 6.5 and I’m having
>> problems with
>>>>>> semanage. I
>>>>>>>>> can install a fresh RHEL 6.5 system with the
>> targeted
>>>> policy and
>>>>>>>>> everything works fine. I then uninstall the
>> targeted policy
>>>> and
>>>>>> install
>>>>>>>>> my policy and I can’t link the linux user and
>> selinux user.
>>>>>>>>>
>>>>>>>>>>> semanage user –a -R sysadm_r -R staff_r
>> -r
>>>> s0-s0:c0.c1023
>>>>>>>>>>> testuser_u useradd -G wheel testuser
>> semanage login
>>>> -a -r
>>>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>>> libsemanage.dbase_llist_query: could not query
>> record value
>>>>>>>>> /usr/sbin/semanage: Could not query user for
>> testuser
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have the RHEL 6.5 source code for libsemanage
>> and the
>>>> targeted
>>>>>> policy
>>>>>>>>> but so far I haven't been able to find
>> differences that
>>>> would
>>>>>> affect
>>>>>>>>> this problem. Could someone please point me in
>> the right
>>>> direction
>>>>>> as
>>>>>>>>> far as what semanage is expecting? What would
>> prevent
>>>> libsemanage
>>>>>> from
>>>>>>>>> querying for the user?
>>>>>>>>>
>>>>>>>>> Thanks, Andy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- selinux mailing list
>> selinux at lists.fedoraproject.org
>>>>>>>>>
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>
>>>>>>>> What does semanage login -l and semanage user -l
>> show?
>>>> -----BEGIN
>>>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using
>> GnuPG with
>>>>>>>> Thunderbird
>>>>>> -
>>>>>>>> http://www.enigmail.net/
>>>>>>>>
>>>>>>>>
>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>>>> SIGNATURE-----
>>>>>>> semanage user -l shows:
>>>>>>>
>>>>>>>
>>>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS
>> Level
>>>> MCS
>>>>>>> Range SELinux Roles
>>>>>>>
>>>>>>> root user s0 s0-s0:c0.c1023
>> system_r
>>>> system_u
>>>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u
>> user
>>>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u
>> user
>>>>>>> s0 s0 user_r
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> semanage login -l shows:
>>>>>>>
>>>>>>>
>>>>>>> Login Name SELinux User
>> MLS/MCS Range
>>>>>>>
>>>>>>>
>>>>>>> root root
>> s0-s0:c0.c1023
>>>>>>> system_u system_u
>> s0-s0:c0.c1023
>>>> --
>>>>>>> selinux mailing list selinux at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> And the testuser exists in /etc/passwd? -----BEGIN PGP
>> SIGNATURE-----
>>>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>>> http://www.enigmail.net/
>>>>>>
>>>>>>
>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>>>
>>>>>> -----END PGP SIGNATURE-----
>>>>>>
>>>>>
>>>>> Yes. The commands "semanage user -a" and
>> "useradd"
>>>> appear to work fine.
>>>>> It's the "semanage login -a" that has trouble.
>>>>>
>>>> And this is with the stock policycoreutils or a rebuilt one?
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>>> =gXXZ
>>>>
>>>> -----END PGP SIGNATURE-----
>>>>
>>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy
>> and selinux-policy-targeted RPMs and add my policy RPMs.
>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Probably not related but could you test it in permissive?
>>
>> Also any chance to strace it and send us your output?
>>
>> Regards,
>> Miroslav
>>
>
> Sorry. I should have specified that earlier. This has all been in permissive.
>
> I will work on getting an strace.
>
>
> ------------------------------
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> End of selinux Digest, Vol 120, Issue 16
> ****************************************
More information about the selinux
mailing list