* Re: Semanage/libsemanage seems to be broken.
[not found] ` <43EBD634.1000708@cornell.edu>
@ 2006-02-10 0:21 ` Ivan Gyurdiev
2006-02-13 15:33 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Ivan Gyurdiev @ 2006-02-10 0:21 UTC (permalink / raw)
To: SELinux List, Daniel J Walsh; +Cc: Joshua Brindle, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]
Ivan Gyurdiev wrote:
>
>> # semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> # semaage user -d walsh_u
> I assume this was misspelled in the email only.
>> # semanage user -l
>> MLS/ MLS/
>> SELinux User MCS Level MCS Range SELinux Roles
>>
>> lwalsh None None
>> root s0 SystemLow-SystemHigh system_r
>> sysadm_r user_r
>> rwalsh s0 s0 system_r
>> sysadm_r user_r
>> system_u s0 SystemLow-SystemHigh system_r
>> twalsh s0 s0 user_r
>> user_u s0 SystemLow-SystemHigh system_r
>> sysadm_r user_r
>> walsh_u None None
>>
>>
>> #semanage user -d walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is defined in policy, cannot
>> be deleted
>>
>> #semanage user -a -rSystemLow-SystemHigh -R user_r -R sysadm_r walsh_u
>> /usr/sbin/semanage: SELinux user walsh_u is already defined
> Hmm.... are you shipping the prefix file for genhomedircon yet?
>
> This appears to be caused by the users_extra file not getting cleared
> on policy rebuild.
> I used to always clear this file. However, after Joshua's patch to
> support the users extra file in the package format, this was changed
> to not clear the file. The idea was that on commit(), that file would
> get overwritten by the users_extra settings from the policy package.
>
> However, I expected this to be a required file. Is this not the case?
> If the users_extra is not a required section of the module package,
> then perhaps we should explicitly clear that file on rebuild.
> The same argument applies to the seusers file, and the file contexts
> file. Are those sections optional?
The attached patch should fix the problem - it treats seusers and
users_extra as optional sections. If they are not present, the
corresponding dbase is cleared. File contexts appear to be requred (no
len == 0 check).
[-- Attachment #2: libsemanage.opt_seusers_extra.diff --]
[-- Type: text/x-patch, Size: 2191 bytes --]
diff -Naurp --exclude-from excludes old/libsemanage/src/direct_api.c new/libsemanage/src/direct_api.c
--- old/libsemanage/src/direct_api.c 2006-02-08 03:20:08.000000000 -0500
+++ new/libsemanage/src/direct_api.c 2006-02-09 19:14:15.000000000 -0500
@@ -475,7 +475,7 @@ static int semanage_direct_commit(semana
/* ==================== File-backed ================== */
- /* write the linked file contexts template */
+ /* File Contexts */
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_file_contexts(base),
sepol_module_package_get_file_contexts_len(base)) == -1) {
@@ -484,29 +484,36 @@ static int semanage_direct_commit(semana
if (semanage_split_fc(sh))
goto cleanup;
-
+
+ pfcontexts->dtable->drop_cache(pfcontexts->dbase);
+
+ /* Seusers */
if (sepol_module_package_get_seusers_len(base)) {
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_seusers(base),
sepol_module_package_get_seusers_len(base)) == -1) {
goto cleanup;
}
+ pseusers->dtable->drop_cache(pseusers->dbase);
+
+ } else {
+ if (pseusers->dtable->clear(sh, pseusers->dbase) < 0)
+ goto cleanup;
}
+ /* Users_extra */
if (sepol_module_package_get_user_extra_len(base)) {
if ((ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USER_EXTRA)) == NULL ||
write_file(sh, ofilename, sepol_module_package_get_user_extra(base),
sepol_module_package_get_user_extra_len(base)) == -1) {
goto cleanup;
}
- }
+ pusers_extra->dtable->drop_cache(pusers_extra->dbase);
- /* Drop any cached content for file_contexts, seusers, or users_extra,
- * since it is now superceded by the files just written, and needs to be
- * re-cached */
- pfcontexts->dtable->drop_cache(pfcontexts->dbase);
- pseusers->dtable->drop_cache(pseusers->dbase);
- pusers_extra->dtable->drop_cache(pusers_extra->dbase);
+ } else {
+ if (pusers_extra->dtable->clear(sh, pusers_extra->dbase) < 0)
+ goto cleanup;
+ }
/* ==================== Policydb-backed ================ */
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Semanage/libsemanage seems to be broken.
2006-02-10 0:21 ` Semanage/libsemanage seems to be broken Ivan Gyurdiev
@ 2006-02-13 15:33 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2006-02-13 15:33 UTC (permalink / raw)
To: Ivan Gyurdiev; +Cc: SELinux List, Daniel J Walsh, Joshua Brindle
On Thu, 2006-02-09 at 19:21 -0500, Ivan Gyurdiev wrote:
> The attached patch should fix the problem - it treats seusers and
> users_extra as optional sections. If they are not present, the
> corresponding dbase is cleared. File contexts appear to be requred (no
> len == 0 check).
Merged as of libsemanage 1.5.22.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-02-13 15:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <43EBCED7.3040305@redhat.com>
[not found] ` <43EBD634.1000708@cornell.edu>
2006-02-10 0:21 ` Semanage/libsemanage seems to be broken Ivan Gyurdiev
2006-02-13 15:33 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.