selinux Digest, Vol 120, Issue 16

Lucrecia Trippel antracit2009 at gmail.com
Sat Feb 22 15:14:07 UTC 2014 

Am 22.02.2014 um 13:00 schrieb selinux-request at lists.fedoraproject.org:

> Send selinux mailing list submissions to
> 	selinux at lists.fedoraproject.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> 	selinux-request at lists.fedoraproject.org
> 
> You can reach the person managing the list at
> 	selinux-owner at lists.fedoraproject.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 21 Feb 2014 07:06:26 -0800 (PST)
> From: Andy Ruch <adruch2002 at yahoo.com>
> To: Miroslav Grepl <mgrepl at redhat.com>
> Cc: Daniel J Walsh <dwalsh at redhat.com>,	Fedora SELinux
> 	<selinux at lists.fedoraproject.org>
> Subject: Re: semanage error when upgrading to RHEL 6.5
> Message-ID:
> 	<1392995186.92907.YahooMailNeo at web124901.mail.ne1.yahoo.com>
> Content-Type: text/plain; charset=utf-8
> 
> 
> 
> 
> 
> 
>> On Friday, February 21, 2014 1:55 AM, Miroslav Grepl <mgrepl at redhat.com> wrote:
>>> On 02/20/2014 11:30 PM, Andy Ruch wrote:
>>> 
>>> 
>>> 
>>> 
>>>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh 
>> <dwalsh at redhat.com> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> 
>>>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>>    On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>>>>    <dwalsh at redhat.com> wrote:
>>>>>>>    -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>    Hash: SHA1
>>>>>> 
>>>>>>    On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>    On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>>>>    <dwalsh at redhat.com>
>>>>>>>    wrote:
>>>>>>> 
>>>>>>>    -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>    Hash: SHA1
>>>>>>>> 
>>>>>>>> 
>>>>>>>>    On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>>>>    Hello,
>>>>>>>>> 
>>>>>>>>>    I have a policy that was originally written for 
>> RHEL 6.2.
>>>> I’m now
>>>>>>>>>    trying to upgrade to RHEL 6.5 and I’m having 
>> problems with
>>>>>>    semanage. I
>>>>>>>>>    can install a fresh RHEL 6.5 system with the 
>> targeted
>>>> policy and
>>>>>>>>>    everything works fine. I then uninstall the 
>> targeted policy
>>>> and
>>>>>>    install
>>>>>>>>>    my policy and I can’t link the linux user and 
>> selinux user.
>>>>>>>>> 
>>>>>>>>>>>    semanage user –a -R sysadm_r -R staff_r 
>> -r
>>>> s0-s0:c0.c1023
>>>>>>>>>>>    testuser_u useradd -G wheel testuser 
>> semanage login
>>>> -a -r
>>>>>>>>>>>    s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>>>>    libsemanage.dbase_llist_query: could not query 
>> record value
>>>>>>>>>    /usr/sbin/semanage: Could not query user for 
>> testuser
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>    I have the RHEL 6.5 source code for libsemanage 
>> and the
>>>> targeted
>>>>>>    policy
>>>>>>>>>    but so far I haven't been able to find 
>> differences that
>>>> would
>>>>>>    affect
>>>>>>>>>    this problem. Could someone please point me in 
>> the right
>>>> direction
>>>>>>    as
>>>>>>>>>    far as what semanage is expecting?  What would 
>> prevent
>>>> libsemanage
>>>>>>    from
>>>>>>>>>    querying for the user?
>>>>>>>>> 
>>>>>>>>>    Thanks, Andy
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>    -- selinux mailing list 
>> selinux at lists.fedoraproject.org
>>>>>>>>>   
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>> 
>>>>>>>>    What does semanage login -l and semanage user -l 
>> show?
>>>> -----BEGIN
>>>>>>>>    PGP SIGNATURE----- Version: GnuPG v1 Comment: Using 
>> GnuPG with
>>>>>>>>    Thunderbird
>>>>>>    -
>>>>>>>>   http://www.enigmail.net/
>>>>>>>> 
>>>>>>>> 
>>>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>>>>    OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>>>> SIGNATURE-----
>>>>>>>    semanage user -l shows:
>>>>>>> 
>>>>>>> 
>>>>>>>    Labeling   MLS/       MLS/ SELinux User    Prefix     MCS 
>> Level
>>>> MCS
>>>>>>>    Range SELinux Roles
>>>>>>> 
>>>>>>>    root            user       s0         s0-s0:c0.c1023 
>> system_r
>>>> system_u
>>>>>>>    user       s0         s0-s0:c0.c1023 system_r testuser_u  
>>     user
>>>>>>>    s0         s0-s0:c0.c1023 staff_r sysadm_r user_u        
>>   user
>>>>>>>    s0         s0 user_r
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>    semanage login -l shows:
>>>>>>> 
>>>>>>> 
>>>>>>>    Login Name                SELinux User              
>> MLS/MCS Range
>>>>>>> 
>>>>>>> 
>>>>>>>    root                      root                      
>> s0-s0:c0.c1023
>>>>>>>    system_u                  system_u                  
>> s0-s0:c0.c1023
>>>> --
>>>>>>>    selinux mailing list selinux at lists.fedoraproject.org
>>>>>>>   https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>> 
>>>>>>> 
>>>>>>    And the testuser exists in /etc/passwd? -----BEGIN PGP 
>> SIGNATURE-----
>>>>>>    Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>>>   http://www.enigmail.net/
>>>>>> 
>>>>>>   
>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>>>>    DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>>> 
>>>>>>    -----END PGP SIGNATURE-----
>>>>>> 
>>>>> 
>>>>>    Yes. The commands "semanage user -a" and 
>> "useradd"
>>>> appear to work fine.
>>>>>    It's the "semanage login -a" that has trouble.
>>>>> 
>>>> And this is with the stock policycoreutils or a rebuilt one?
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>> 
>>>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>>>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>>>> =gXXZ
>>>> 
>>>> -----END PGP SIGNATURE-----
>>>> 
>>> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy 
>> and selinux-policy-targeted RPMs and add my policy RPMs.
>> 
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> Probably not related but could you test it in permissive?
>> 
>> Also any chance to strace it and send us your output?
>> 
>> Regards,
>> Miroslav
>> 
> 
> Sorry. I should have specified that earlier. This has all been in permissive.
> 
> I will work on getting an strace.
> 
> 
> ------------------------------
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> End of selinux Digest, Vol 120, Issue 16
> ****************************************

More information about the selinux mailing list