semanage non MLS breakage

semanage non MLS breakage

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 722 bytes --]

With the current sourceforge CVS, non MLS usage is broken with semanage:

# semanage login -l

Login Name                SELinux User              MLS/MCS Range

root                      root                      __default__:user_u

# semanage login -a -s staff_u pebenito
Segmentation fault


The seusers file installed from refpolicy, in the base module looks
like:

root:root:
__default__:user_u:

It doesn't work with or without the last colon.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: semanage non MLS breakage

[Ivan Gyurdiev]

> # semanage login -l
>
> Login Name                SELinux User              MLS/MCS Range
>
> root                      root                      __default__:user_u
>
> # semanage login -a -s staff_u pebenito
> Segmentation fault
>
>   
PeBenito, can you provide a trace with line numbers (i.e. 
libsemanage-debuginfo, and libsepol-debuginfo installed)?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Joshua Brindle]

Ivan Gyurdiev wrote:
>
>> # semanage login -l
>>
>> Login Name                SELinux User              MLS/MCS Range
>>
>> root                      root                      __default__:user_u
>>
>> # semanage login -a -s staff_u pebenito
>> Segmentation fault
>>
>>   
> PeBenito, can you provide a trace with line numbers (i.e. 
> libsemanage-debuginfo, and libsepol-debuginfo installed)?
I don't think he can install libsemanage-debuginfo (since those are Red 
Hat packages) but I've encountered this before as well, here is a backtrace:

#0  0x0017ebd3 in strdup () from /lib/libc.so.6
#1  0x00474d5e in mls_from_string (handle=0x8b06b70, policydb=0x8b30a78, 
str=0x0, mls=0x8b8a930) at mls.c:85
#2  0x00476143 in sepol_mls_contains (handle=0x8b06b70, 
policydb=0x8b30a78, mls1=0x0, mls2=0x8b2fd98 "s0", response=0xbfdc7068)
    at mls.c:635
#3  0x008bec55 in validate_handler (seuser=0x8b2fd68, varg=0xbfdc713c) 
at seusers_local.c:126
#4  0x008b101a in dbase_llist_iterate (handle=0x8aa0ea8, 
dbase=0x8a83110, fn=0x8beac6 <validate_handler>, arg=0xbfdc713c)
    at database_llist.c:278
#5  0x008af638 in dbase_iterate (handle=0x8aa0ea8, dconfig=0x8aa0f28, 
fn=0x8beac6 <validate_handler>, fn_arg=0xbfdc713c)
    at database.c:191
#6  0x008bea7a in *semanage_seuser_iterate_local_internal 
(handle=0x8aa0ea8, handler=0x8beac6 <validate_handler>,
    handler_arg=0xbfdc713c) at seusers_local.c:68
#7  0x008bee41 in semanage_seuser_validate_local (handle=0x8aa0ea8, 
policydb=0x8b30a78) at seusers_local.c:163
#8  0x008b3b0a in semanage_direct_commit (sh=0x8aa0ea8) at direct_api.c:545
#9  0x008b60b0 in semanage_commit (sh=0x8aa0ea8) at handle.c:227
#10 0x00810ea3 in _wrap_semanage_commit (self=0x0, args=0xb7f490cc) at 
semanageswig_wrap.c:2419
#11 0x009f109a in PyCFunction_Call () from /usr/lib/libpython2.4.so.1.0
#12 0x00a295e4 in PyEval_EvalFrame () from /usr/lib/libpython2.4.so.1.0
#13 0x00a28e0f in PyEval_EvalFrame () from /usr/lib/libpython2.4.so.1.0
#14 0x00a2a1ff in PyEval_EvalCodeEx () from /usr/lib/libpython2.4.so.1.0
#15 0x00a2a283 in PyEval_EvalCode () from /usr/lib/libpython2.4.so.1.0
#16 0x00a45f53 in Py_CompileString () from /usr/lib/libpython2.4.so.1.0
#17 0x00a47539 in PyRun_SimpleFileExFlags () from 
/usr/lib/libpython2.4.so.1.0
#18 0x00a47bb5 in PyRun_AnyFileExFlags () from /usr/lib/libpython2.4.so.1.0
#19 0x00a4deb6 in Py_Main () from /usr/lib/libpython2.4.so.1.0
#20 0x0804859a in main ()


It is easy to reproduce, build a non-mls policy and try to add a user.. 
this brings up something else, semanage currently lacks the ability to 
specify a store to connect to, semodule has this ability and I think 
semanage needs it (and will need it much more when networked 
policy-server access is possible)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

>>> # semanage login -l
>>>
>>> Login Name                SELinux User              MLS/MCS Range
>>>
>>> root                      root                      __default__:user_u
That doesn't look like a valid MLS range.
What exactly is in your seusers file?
>
> #2  0x00476143 in sepol_mls_contains (handle=0x8b06b70, 
> policydb=0x8b30a78, mls1=0x0, mls2=0x8b2fd98 "s0", response=0xbfdc7068)
This indicates the seuser has an mls range s0, but the user does not. 
The mls check is conditional on the seuser's mls range, which is why it 
proceeds.  I can add a check that makes sure neither exists, but it 
shouldn't be necessary - on a non-MLS system the seuser should not have 
an mls range.

I'm not sure how a situation would occur where the seuser has an mls 
range on a non-mls system. I guess seuser_print will write out an mls 
field if it finds one, so maybe that's how this happens...it gets an mls 
field from the policy package, and fails to ignore it. Need more info.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Joshua Brindle]

Ivan Gyurdiev wrote:
>
>>>> # semanage login -l
>>>>
>>>> Login Name                SELinux User              MLS/MCS Range
>>>>
>>>> root                      root                      __default__:user_u
> That doesn't look like a valid MLS range.
> What exactly is in your seusers file?
>>
>> #2  0x00476143 in sepol_mls_contains (handle=0x8b06b70, 
>> policydb=0x8b30a78, mls1=0x0, mls2=0x8b2fd98 "s0", response=0xbfdc7068)
> This indicates the seuser has an mls range s0, but the user does not. 
> The mls check is conditional on the seuser's mls range, which is why 
> it proceeds.  I can add a check that makes sure neither exists, but it 
> shouldn't be necessary - on a non-MLS system the seuser should not 
> have an mls range.
>
if it has s0 then semanage is dreaming it up because the policy has no 
mls whatsoever and none was specified on the command line.
> I'm not sure how a situation would occur where the seuser has an mls 
> range on a non-mls system. I guess seuser_print will write out an mls 
> field if it finds one, so maybe that's how this happens...it gets an 
> mls field from the policy package, and fails to ignore it. Need more 
> info.

what info? it isn't hard to reproduce.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

>
> what info? it isn't hard to reproduce.
Contents of: users.local, seusers, and seusers.final

I guess this function is exactly the place that should reject a seuser 
with mls fields (or ignore them) based on whether mls is enabled in the 
policy - I can export the mls flag from libsepol, and check that (at 
this point we have a policydb, validation occurs after everything is 
merged).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Joshua Brindle]

Ivan Gyurdiev wrote:
>
>>
>> what info? it isn't hard to reproduce.
> Contents of: users.local, seusers, and seusers.final
# cat /etc/selinux/test-nomcs/modules/active/seusers.final
root:root:
__default__:user_u:

no seusers file
no users.local

> I guess this function is exactly the place that should reject a seuser 
> with mls fields (or ignore them) based on whether mls is enabled in 
> the policy - I can export the mls flag from libsepol, and check that 
> (at this point we have a policydb, validation occurs after everything 
> is merged).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

>
> # cat /etc/selinux/test-nomcs/modules/active/seusers.final
> root:root:
> __default__:user_u:
>
Ok, let's see... that semicolon shouldn't be there at the end.
It causes the parser to look for an mls range.
This is parsed as:
user = root, seuser = root, mls_range = "__default__:user_u:"

That explains the output out of semanage, which doesn't make any sense 
otherwise.
Not sure why the end colon of the range is removed, but it seems 
plausible during translation and all that.
======================
So, your seuser has an mls range, which causes a crash, because 
libsemanage doesn't handle that case very well.
I will patch the library to prevent that crash, but for the moment I 
suggest you get rid of the end colon.
=======================
As far as "s0" is concerned - I have no idea where that's coming from - 
did you possibly give me a trace that doesn't match those files (you 
said you'd seen it before, not sure if you pasted old or new trace).











--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 308 bytes --]


>
> ======================
> So, your seuser has an mls range, which causes a crash, because 
> libsemanage doesn't handle that case very well.
> I will patch the library to prevent that crash, but for the moment I 
> suggest you get rid of the end colon.
>
Let me know if this patch works out for you...



[-- Attachment #2: libsemanage.sepol.more_mls_checks.diff --]
[-- Type: text/x-patch, Size: 3440 bytes --]

diff -Naurp --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsemanage/src/seusers_local.c new/libsemanage/src/seusers_local.c
--- old/libsemanage/src/seusers_local.c	2006-01-27 15:44:09.000000000 -0500
+++ new/libsemanage/src/seusers_local.c	2006-02-17 16:19:06.000000000 -0500
@@ -114,8 +114,8 @@ static int validate_handler(
 	}
 
 	/* Verify that the mls range is valid, and that it's contained
-	 * within the (SELinux) user mls range */
-	if (mls_range) {
+	 * within the (SELinux) user mls range. This range is optional */
+	if (mls_range && sepol_policydb_mls_enabled(policydb)) {		
 
 		if (semanage_user_query(handle, key, &user) < 0)
 			goto err;
@@ -127,12 +127,15 @@ static int validate_handler(
 			user_mls_range, mls_range, &mls_ok) < 0)
 			goto err;
 		if (!mls_ok) {
-			ERR(handle, "mls range %s for Unix user %s "
-				"exceeds allowed range %s for SELinux user %s",
-				mls_range, name, user_mls_range, sename);
+			ERR(handle, "MLS range %s for Unix user %s "
+			     "exceeds allowed range %s for SELinux user %s",
+			      mls_range, name, user_mls_range, sename);
 			goto invalid;
 		}
-	}
+
+	} else if (mls_range)
+		WARN(handle, "MLS is disabled, MLS range %s "
+			"Unix user %s ignored", mls_range, name);
 
 	semanage_user_key_free(key);
 	semanage_user_free(user);
@@ -153,6 +156,10 @@ static int validate_handler(
 	return -1;
 }
 
+/* This function may not be called outside a transaction, or 
+ * it will (1) deadlock, because iterate is not reentrant outside
+ * a transaction, and (2) be racy, because it makes multiple dbase calls */
+
 int hidden semanage_seuser_validate_local(
 	semanage_handle_t* handle,	
 	const sepol_policydb_t* policydb) {
diff -Naurp --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsepol/include/sepol/policydb.h new/libsepol/include/sepol/policydb.h
--- old/libsepol/include/sepol/policydb.h	2005-10-18 10:08:39.000000000 -0400
+++ new/libsepol/include/sepol/policydb.h	2006-02-17 16:21:01.000000000 -0500
@@ -124,6 +124,7 @@ extern int sepol_policydb_to_image(sepol
 				   void **newdata, 
 				   size_t *newlen);
 
-#endif
-
+extern int sepol_policydb_mls_enabled(
+	const sepol_policydb_t* p);
 
+#endif
diff -Naurp --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsepol/src/policydb_public.c new/libsepol/src/policydb_public.c
--- old/libsepol/src/policydb_public.c	2005-11-01 17:32:59.000000000 -0500
+++ new/libsepol/src/policydb_public.c	2006-02-17 16:21:09.000000000 -0500
@@ -159,3 +159,8 @@ int sepol_policydb_to_image(sepol_handle
 	return policydb_to_image(handle, &p->p, newdata, newlen);
 }
 
+int sepol_policydb_mls_enabled(
+	const sepol_policydb_t* p)  {
+
+	return p->p.mls;
+}
diff -Naurp --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsepol/src/users.c new/libsepol/src/users.c
--- old/libsepol/src/users.c	2006-01-13 08:35:51.000000000 -0500
+++ new/libsepol/src/users.c	2006-02-17 16:12:48.000000000 -0500
@@ -218,6 +218,11 @@ int sepol_user_modify(
 			goto err;
 		}
 		context_destroy(&context);
+
+	} else {
+		if (cmls_level != NULL || cmls_range != NULL)
+			WARN(handle, "MLS is disabled, MLS level/range "
+				"ignored for user %s", cname);
 	}
 
 	/* If there are no errors, and this is a new user, add the user to policy */

Re: semanage non MLS breakage

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]

On Fri, 2006-02-17 at 16:30 -0500, Ivan Gyurdiev wrote:
> >
> > ======================
> > So, your seuser has an mls range, which causes a crash, because 
> > libsemanage doesn't handle that case very well.
> > I will patch the library to prevent that crash, but for the moment I 
> > suggest you get rid of the end colon.
> >
> Let me know if this patch works out for you...

Definitely going the right way, but a range of s0 must be hardcoded if
the range isn't specified:

gorn selinux-usr # semanage login -a -s staff_u pebenito
libsemanage.validate_handler: MLS is disabled, MLS range s0 Unix user pebenito ignored
gorn selinux-usr # semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    None
pebenito                  staff_u                   s0
root                      root                      None


-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: semanage non MLS breakage

[Ivan Gyurdiev]

> gorn selinux-usr # semanage login -a -s staff_u pebenito
> libsemanage.validate_handler: MLS is disabled, MLS range s0 Unix user pebenito ignored
>   
Ok.. message is missing a few words...

> gorn selinux-usr # semanage login -l
>
> Login Name                SELinux User              MLS/MCS Range
>
> __default__               user_u                    None
> pebenito                  staff_u                   s0
> root                      root                      None
>
>   
Right, this is s0 being hardcoded in the semanage tool, so the bug needs 
to be fixed there.
What I don't like about this is that libsemanage skips the MLS check 
now, but still proceeds to write any MLS range found to disk. It should 
invalidate an MLS range if it sees one. Will submit another patch on top 
of the previous one...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

>
> What I don't like about this is that libsemanage skips the MLS check 
> now, but still proceeds to write any MLS range found to disk. It 
> should invalidate an MLS range if it sees one. Will submit another 
> patch on top of the previous one...
Hmm, I don't know what to do about this...
There's several options:

1) Treat this as fatal error. This is by far the simplest solution - we 
already know when it happens, just make it fatal. Commit is aborted, and 
there's no problem. It seems a bit.... ugly, however, to abort a commit 
for which we clearly have all the data, and the user simply has extra 
data like MLS attached. Nevertheless, considering the options below, I 
think this is probably the best solution.

2) Ignore the problem, call it a feature. The user added MLS context 
into a non-MLS supporting policy - it's his/her fault. He or she can 
clean up the resulting mess. I don't like this approach though - the 
library should be proactive about preventing things that are incorrect, 
instead of creating a bigger problem.

3) Invalidate MLS at the beginning so it never proceeds in the library. 
This means:
       - adding a function to look in the policydb header, and determine 
whether it allows mls - I started to write this once before...
       - using this function in file parsers
       - performing partial validation on individual records through the 
dbase_* functions - I don't like this - I prefer full validation when we 
have information to do it - i.e. with all modules loaded, after the full 
policy has been constructed. This also requires knowing whether the 
policydb allows mls, without having a full policydb (while validation at 
the end doesn't require that).

4) Invalidate MLS where validation is currently done. The problem is that:
       - certain records are validated when they're copied from local 
dbase into sepol, where sepol treats this as non-fatal error, so it 
doesn't fail, informing the caller. No validation occurs directly on the 
local record (so MLS data remains, and can be written to disk)
        - In other cases, validation is done in an iterate() handler. 
Iterate handlers work on a const copy of the record, and the dbase. We'd 
have to change those requirements. This might actually be useful - but 
would require a bit more work in sepol to apply changes after iterate() 
was called with a temporary record.

5) Don't invalidate MLS, simply don't write it to disk. This looks kind 
of like a hack, and not a very good solution - the same problem might 
come up elsewhere. It requires:
     - passing an argument into the print() function that says MLS or no 
MLS.
     - informing database_file.c about that argument, which seems a bit 
wrong - complication created unnecessarily.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Joshua Brindle]

Ivan Gyurdiev wrote:
>
>>
>> What I don't like about this is that libsemanage skips the MLS check 
>> now, but still proceeds to write any MLS range found to disk. It 
>> should invalidate an MLS range if it sees one. Will submit another 
>> patch on top of the previous one...
> Hmm, I don't know what to do about this...
> There's several options:
>
> 1) Treat this as fatal error. This is by far the simplest solution - 
> we already know when it happens, just make it fatal. Commit is 
> aborted, and there's no problem. It seems a bit.... ugly, however, to 
> abort a commit for which we clearly have all the data, and the user 
> simply has extra data like MLS attached. Nevertheless, considering the 
> options below, I think this is probably the best solution.
>
It's an invalid context, I don't think there is anything you *can* do 
except fatally error. Consider what would happen if there was a proper 
MLS context with multiple levels on an MCS policy...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage non MLS breakage

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]


> It's an invalid context, I don't think there is anything you *can* do 
> except fatally error. Consider what would happen if there was a proper 
> MLS context with multiple levels on an MCS policy...
Well, in that case, patch attached. Also fixes printing of mls_range in 
the error case for seuser_validate.
Applies on top of the previous one.

That leaves the semanage tool to audit and fix for non-MLS issues.



[-- Attachment #2: libsemanage.sepol.mls_fix2.diff --]
[-- Type: text/x-patch, Size: 3383 bytes --]

diff -Naurp --exclude Makefile --exclude 'fcontext*' --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsemanage/src/seusers_local.c new/libsemanage/src/seusers_local.c
--- old/libsemanage/src/seusers_local.c	2006-02-17 16:29:48.000000000 -0500
+++ new/libsemanage/src/seusers_local.c	2006-02-19 12:11:55.000000000 -0500
@@ -126,6 +126,7 @@ static int validate_handler(
 		if (sepol_mls_contains(handle->sepolh, policydb, 
 			user_mls_range, mls_range, &mls_ok) < 0)
 			goto err;
+
 		if (!mls_ok) {
 			ERR(handle, "MLS range %s for Unix user %s "
 			     "exceeds allowed range %s for SELinux user %s",
@@ -133,24 +134,29 @@ static int validate_handler(
 			goto invalid;
 		}
 
-	} else if (mls_range)
-		WARN(handle, "MLS is disabled, MLS range %s "
-			"Unix user %s ignored", mls_range, name);
+	} else if (mls_range) {
+		ERR(handle, "MLS is disabled, but MLS range %s "
+			"was found for Unix user %s", mls_range, name);
+		goto invalid;
+	}
 
 	semanage_user_key_free(key);
 	semanage_user_free(user);
 	return 0;
 
 	err:
-	ERR(handle, "could not check if the seuser mapping "
-		"%s -> (%s, %s) is valid", name, sename, mls_range);
+	ERR(handle, "could not check if seuser mapping for %s is valid", name);
 	semanage_user_key_free(key);
 	semanage_user_free(user);
 	return -1;
 
 	invalid:
-	ERR(handle, "seuser mapping %s -> (%s, %s) is invalid",
-		name, sename, mls_range);
+	if (mls_range)
+		ERR(handle, "seuser mapping [%s -> (%s, %s)] is invalid",
+			name, sename, mls_range);
+	else 
+		ERR(handle, "seuser mapping [%s -> %s] is invalid",
+			name, sename);
 	semanage_user_key_free(key);
 	semanage_user_free(user);
 	return -1;
diff -Naurp --exclude Makefile --exclude 'fcontext*' --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsepol/src/context.c new/libsepol/src/context.c
--- old/libsepol/src/context.c	2006-01-06 09:36:28.000000000 -0500
+++ new/libsepol/src/context.c	2006-02-19 12:06:45.000000000 -0500
@@ -194,12 +194,11 @@ int context_from_record(
 
 	/* MLS */
 	if (mls && !policydb->mls) {
-		WARN(handle, "mls context \"%s\" ignored, since "
-				"mls is disabled", mls);
-		mls = NULL;
+		ERR(handle, "MLS is disabled, but MLS context \"%s\" found", mls);
+		goto err_destroy;
 	}
 	else if (!mls && policydb->mls) {
-	 	ERR(handle, "mls is enabled, but no mls context found");
+	 	ERR(handle, "MLS is enabled, but no MLS context found");
 		goto err_destroy;
 	}
 	if (mls && (mls_from_string(handle, policydb, mls, scontext) < 0)) 
diff -Naurp --exclude Makefile --exclude 'fcontext*' --exclude libselinux --exclude genhomedircon.c --exclude direct_api.c --exclude-from excludes old/libsepol/src/users.c new/libsepol/src/users.c
--- old/libsepol/src/users.c	2006-02-17 16:29:48.000000000 -0500
+++ new/libsepol/src/users.c	2006-02-19 12:07:32.000000000 -0500
@@ -219,10 +219,10 @@ int sepol_user_modify(
 		}
 		context_destroy(&context);
 
-	} else {
-		if (cmls_level != NULL || cmls_range != NULL)
-			WARN(handle, "MLS is disabled, MLS level/range "
-				"ignored for user %s", cname);
+	} else if (cmls_level != NULL || cmls_range != NULL) {
+		ERR(handle, "MLS is disabled, but MLS level/range "
+			"was found for user %s", cname);
+		goto err;
 	}
 
 	/* If there are no errors, and this is a new user, add the user to policy */

Re: semanage non MLS breakage

[Stephen Smalley]

On Sun, 2006-02-19 at 12:17 -0500, Ivan Gyurdiev wrote:
> > It's an invalid context, I don't think there is anything you *can* do 
> > except fatally error. Consider what would happen if there was a proper 
> > MLS context with multiple levels on an MCS policy...
> Well, in that case, patch attached. Also fixes printing of mls_range in 
> the error case for seuser_validate.
> Applies on top of the previous one.
> 
> That leaves the semanage tool to audit and fix for non-MLS issues.

Merged both patches (libsepol 1.11.19, libsemanage 1.5.29).  As noted by
Ivan, semanage still needs to be modified to not presume MLS.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.