From: Ivan Gyurdiev <ivg2@cornell.edu>
To: SELinux List <SELinux@tycho.nsa.gov>, Daniel J Walsh <dwalsh@redhat.com>
Cc: Joshua Brindle <jbrindle@tresys.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: Semanage/libsemanage seems to be broken.
Date: Thu, 09 Feb 2006 19:21:11 -0500 [thread overview]
Message-ID: <43EBDC77.5000503@cornell.edu> (raw)
In-Reply-To: <43EBD634.1000708@cornell.edu>
[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]
Ivan Gyurdiev wrote:
>
>> # semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> # semaage user -d walsh_u
> I assume this was misspelled in the email only.
>> # semanage user -l
>> MLS/ MLS/
>> SELinux User MCS Level MCS Range SELinux Roles
>>
>> lwalsh None None
>> root s0 SystemLow-SystemHigh system_r
>> sysadm_r user_r
>> rwalsh s0 s0 system_r
>> sysadm_r user_r
>> system_u s0 SystemLow-SystemHigh system_r
>> twalsh s0 s0 user_r
>> user_u s0 SystemLow-SystemHigh system_r
>> sysadm_r user_r
>> walsh_u None None
>>
>>
>> #semanage user -d walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is defined in policy, cannot
>> be deleted
>>
>> #semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is already defined
> Hmm.... are you shipping the prefix file for genhomedircon yet?
>
> This appears to be caused by the users_extra file not getting cleared
> on policy rebuild.
> I used to always clear this file. However, after Joshua's patch to
> support the users extra file in the package format, this was changed
> to not clear the file. The idea was that on commit(), that file would
> get overwritten by the users_extra settings from the policy package.
>
> However, I expected this to be a required file. Is this not the case?
> If the users_extra is not a required section of the module package,
> then perhaps we should explicitly clear that file on rebuild.
> The same argument applies to the seusers file, and the file contexts
> file. Are those sections optional?
The attached patch should fix the problem - it treats seusers and
users_extra as optional sections. If they are not present, the
corresponding dbase is cleared. File contexts appear to be requred (no
len == 0 check).
[-- Attachment #2: libsemanage.opt_seusers_extra.diff --]
[-- Type: text/x-patch, Size: 2191 bytes --]
diff -Naurp --exclude-from excludes old/libsemanage/src/direct_api.c new/libsemanage/src/direct_api.c
--- old/libsemanage/src/direct_api.c 2006-02-08 03:20:08.000000000 -0500
+++ new/libsemanage/src/direct_api.c 2006-02-09 19:14:15.000000000 -0500
@@ -475,7 +475,7 @@ static int semanage_direct_commit(semana
/* ==================== File-backed ================== */
- /* write the linked file contexts template */
+ /* File Contexts */
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_file_contexts(base),
sepol_module_package_get_file_contexts_len(base)) == -1) {
@@ -484,29 +484,36 @@ static int semanage_direct_commit(semana
if (semanage_split_fc(sh))
goto cleanup;
-
+
+ pfcontexts->dtable->drop_cache(pfcontexts->dbase);
+
+ /* Seusers */
if (sepol_module_package_get_seusers_len(base)) {
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_seusers(base),
sepol_module_package_get_seusers_len(base)) == -1) {
goto cleanup;
}
+ pseusers->dtable->drop_cache(pseusers->dbase);
+
+ } else {
+ if (pseusers->dtable->clear(sh, pseusers->dbase) < 0)
+ goto cleanup;
}
+ /* Users_extra */
if (sepol_module_package_get_user_extra_len(base)) {
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USER_EXTRA)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_user_extra(base),
sepol_module_package_get_user_extra_len(base)) == -1) {
goto cleanup;
}
- }
+ pusers_extra->dtable->drop_cache(pusers_extra->dbase);
- /* Drop any cached content for file_contexts, seusers, or users_extra,
- * since it is now superceded by the files just written, and needs to be
- * re-cached */
- pfcontexts->dtable->drop_cache(pfcontexts->dbase);
- pseusers->dtable->drop_cache(pseusers->dbase);
- pusers_extra->dtable->drop_cache(pusers_extra->dbase);
+ } else {
+ if (pusers_extra->dtable->clear(sh, pusers_extra->dbase) < 0)
+ goto cleanup;
+ }
/* ==================== Policydb-backed ================ */
next parent reply other threads:[~2006-02-10 0:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <43EBCED7.3040305@redhat.com>
[not found] ` <43EBD634.1000708@cornell.edu>
2006-02-10 0:21 ` Ivan Gyurdiev [this message]
2006-02-13 15:33 ` Semanage/libsemanage seems to be broken Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43EBDC77.5000503@cornell.edu \
--to=ivg2@cornell.edu \
--cc=SELinux@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.