Ivan Gyurdiev wrote:
>
>> # semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> # semaage user -d walsh_u
> I assume this was misspelled in the email only.
>> # semanage user -l
>>                MLS/       MLS/
>> SELinux User    MCS Level  MCS Range                      SELinux Roles
>>
>> lwalsh          None       None
>> root            s0         SystemLow-SystemHigh           system_r 
>> sysadm_r user_r
>> rwalsh          s0         s0                             system_r 
>> sysadm_r user_r
>> system_u        s0         SystemLow-SystemHigh           system_r
>> twalsh          s0         s0                             user_r
>> user_u          s0         SystemLow-SystemHigh           system_r 
>> sysadm_r user_r
>> walsh_u         None       None
>>
>>
>> #semanage user -d walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is defined in policy, cannot 
>> be deleted
>>
>> #semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is already defined
> Hmm.... are you shipping the prefix file for genhomedircon yet?
>
> This appears to be caused by the users_extra file not getting cleared 
> on policy rebuild.
> I used to always clear this file. However, after Joshua's patch to 
> support the users extra file in the package format, this was changed 
> to not clear the file. The idea was that on commit(), that file would 
> get overwritten by the users_extra settings from the policy package.
>
> However, I expected this to be a required file. Is this not the case?
> If the users_extra is not a required section of the module package, 
> then perhaps we should explicitly clear that file on rebuild.
> The same argument applies to the seusers file, and the file contexts 
> file. Are those sections optional?
The attached patch should fix the problem - it treats seusers and 
users_extra as optional sections. If they are not present, the 
corresponding dbase is cleared. File contexts appear to be requred (no 
len == 0 check).