From: Joshua Brindle <jbrindle@tresys.com>
To: Erich Schubert <erich@debian.org>
Cc: SELinux@tycho.nsa.gov
Subject: Re: Documentation, anyone?
Date: Mon, 02 Jan 2006 14:44:24 -0500 [thread overview]
Message-ID: <43B98298.4020106@tresys.com> (raw)
In-Reply-To: <1136133436.27906.56.camel@wintermute.xmldesign.de>
Erich Schubert wrote:
> Hi,
> Recent changes broke lots of stuff on my system.
> For example, genhomedircon no longer reads my local.users file...
> It seems that this is somehow related to semanage changes...
> Which doesn't work for me, and I can't find *any* documentation on it.
> So the current SELinux shape is IMHO really bad... no current
> documentation, and even those who have working installations (like me)
> have no idea how to get the latest stuff working... :-(
>
> I have a user role "netuser" who is allowed to use the network to a
> larger extend (e.g. bind to port_t). I'd like to make that the default
> role for certain unix accounts...
>
> $ semanage user --add -s netuser_u -R netuser_r erich
> ['netuser_r']
> libsemanage.assert_init: A direct or server connection is needed to use
> this function - please call the corresponding connect() method
> libsemanage.enter_ro: could not enter read-only section
> /usr/sbin/semanage: Seuser lerich already defined
>
> I couldn't find an example for /etc/selinux/seusers, I guessed it looks
> like
> "lerich:netuser_u" but that didn't work either...
>
> I've also investigated "genhomedircon", and what strikes me as really
> bad code is that it keeps on calling an external "grep" on just about
> everything.
> Loading a file and applying a regexp is really easy in Python, you
> know...
>
> To all users of my Debian repository or Debian unstable:
> Avoid upgrading for now if you are using extra user roles...
>
> best regards,
> Erich Schubert
We've been putting a ton of effort into making the upgrade path to a
managed system pretty painless but it isn't exactly transparent. Have
you been watching all the traffic here? I know we addressed some of the
issues you are having. The srpm that upgrades to a modular policy has
all the migration logic, debian should probably consider converting to
modular and releasing a migration package since almost all the
functionality we are now adding depends on having a managed system.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-01-02 19:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-01 16:37 Documentation, anyone? Erich Schubert
2006-01-01 15:54 ` Ivan Gyurdiev
2006-01-01 16:41 ` Debian users: don't upgrade for now Erich Schubert
2006-01-03 16:52 ` Stephen Smalley
2006-01-01 20:19 ` more genhomedircon badness Erich Schubert
2006-01-01 19:36 ` Ivan Gyurdiev
2006-01-03 16:56 ` Stephen Smalley
2006-01-02 19:44 ` Joshua Brindle [this message]
2006-01-03 16:47 ` Documentation, anyone? Stephen Smalley
2006-01-03 22:31 ` Erich Schubert
2006-01-04 13:09 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2006-01-01 20:33 Erich Schubert
2006-01-01 19:29 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43B98298.4020106@tresys.com \
--to=jbrindle@tresys.com \
--cc=SELinux@tycho.nsa.gov \
--cc=erich@debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.