Help with python seobject.loginRecords

Help with python seobject.loginRecords

[Joe Nall]

I need to add login mappings in python firstboot modules during system  
configuration. In my first module a simple:

seobject.loginRecords().add(username, "siterep_u", "SystemLow- 
SystemHigh")

works. In subsequent modules, I get an exception:

libsemanage.enter_rw: this operation requires a transaction
libsemanage.enter_rw: could not enter read-write section
Traceback (most recent call last):
   File "./t", line 6, in <module>
     seobject.loginRecords().add("test3", "sysadm_u", "SystemLow- 
SystemHigh")
   File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in  
add
     raise error
ValueError: Could not add login mapping for test3

What is the right way to do this?

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Daniel J Walsh]

On 03/11/2009 12:15 PM, Joe Nall wrote:
> I need to add login mappings in python firstboot modules during system
> configuration. In my first module a simple:
>
> seobject.loginRecords().add(username, "siterep_u", "SystemLow-SystemHigh")
>
> works. In subsequent modules, I get an exception:
>
> libsemanage.enter_rw: this operation requires a transaction
> libsemanage.enter_rw: could not enter read-write section
> Traceback (most recent call last):
> File "./t", line 6, in <module>
> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
> raise error
> ValueError: Could not add login mapping for test3
>
> What is the right way to do this?
>
> joe
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Probably an MLS issue.  firtstboot is running in a context that is not 
allowed to lock/manage selinux.

You probably should exec semanage rather then calling seobject so you 
could do a transition and not have to give a huge app like first boot 
the ability to manage security policy.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Joe Nall]

On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:

> On 03/11/2009 12:15 PM, Joe Nall wrote:
>> I need to add login mappings in python firstboot modules during  
>> system
>> configuration. In my first module a simple:
>>
>> seobject.loginRecords().add(username, "siterep_u", "SystemLow- 
>> SystemHigh")
>>
>> works. In subsequent modules, I get an exception:
>>
>> libsemanage.enter_rw: this operation requires a transaction
>> libsemanage.enter_rw: could not enter read-write section
>> Traceback (most recent call last):
>> File "./t", line 6, in <module>
>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow- 
>> SystemHigh")
>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in  
>> add
>> raise error
>> ValueError: Could not add login mapping for test3
>>
>> What is the right way to do this?
>>
>> joe
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing  
>> list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
> Probably an MLS issue.  firtstboot is running in a context that is  
> not allowed to lock/manage selinux.

I'm installing in permissive and switching to enforcing after  
firstboot. You are correct that firstboot_t doesn't have the policy  
for all the stuff I'm trying to do yet.

> You probably should exec semanage rather then calling seobject so  
> you could do a transition and not have to give a huge app like first  
> boot the ability to manage security policy.

That is what is installing right now. I would still like an  
explanation/code snippet of correct usage for future use

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> 
> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
> 
>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>> I need to add login mappings in python firstboot modules during system
>>> configuration. In my first module a simple:
>>>
>>> seobject.loginRecords().add(username, "siterep_u",
>>> "SystemLow-SystemHigh")
>>>
>>> works. In subsequent modules, I get an exception:
>>>
>>> libsemanage.enter_rw: this operation requires a transaction
>>> libsemanage.enter_rw: could not enter read-write section
>>> Traceback (most recent call last):
>>> File "./t", line 6, in <module>
>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>> raise error
>>> ValueError: Could not add login mapping for test3
>>>
>>> What is the right way to do this?
>>>
>>> joe
>>>
>>>
>>> -- 
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>> Probably an MLS issue.  firtstboot is running in a context that is not
>> allowed to lock/manage selinux.
> 
> I'm installing in permissive and switching to enforcing after firstboot.
> You are correct that firstboot_t doesn't have the policy for all the
> stuff I'm trying to do yet.
> 
>> You probably should exec semanage rather then calling seobject so you
>> could do a transition and not have to give a huge app like first boot
>> the ability to manage security policy.
> 
> That is what is installing right now. I would still like an
> explanation/code snippet of correct usage for future use
> 
> joe
> 
> 
Looks at system-config-selinux,  does it all over the place.

commands.getstatusoutput("semanage ...")

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm4HDUACgkQrlYvE4MpobM7UwCfa63yef/yTXkqJXw5QqaygCfm
qMsAnix/6yGKm33Wq7ulyga6S3oaUvZh
=LQDc
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Joe Nall]

On Mar 11, 2009, at 3:16 PM, Daniel J Walsh wrote:

>> ...
> Looks at system-config-selinux,  does it all over the place.
>
> commands.getstatusoutput("semanage ...")

I meant the python code :)

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> 
> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
> 
>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>> I need to add login mappings in python firstboot modules during system
>>> configuration. In my first module a simple:
>>>
>>> seobject.loginRecords().add(username, "siterep_u",
>>> "SystemLow-SystemHigh")
>>>
>>> works. In subsequent modules, I get an exception:
>>>
>>> libsemanage.enter_rw: this operation requires a transaction
>>> libsemanage.enter_rw: could not enter read-write section
>>> Traceback (most recent call last):
>>> File "./t", line 6, in <module>
>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>> raise error
>>> ValueError: Could not add login mapping for test3
>>>
>>> What is the right way to do this?
>>>
>>> joe
>>>
>>>
>>> -- 
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>> Probably an MLS issue.  firtstboot is running in a context that is not
>> allowed to lock/manage selinux.
> 
> I'm installing in permissive and switching to enforcing after firstboot.
> You are correct that firstboot_t doesn't have the policy for all the
> stuff I'm trying to do yet.
> 
>> You probably should exec semanage rather then calling seobject so you
>> could do a transition and not have to give a huge app like first boot
>> the ability to manage security policy.
> 
> That is what is installing right now. I would still like an
> explanation/code snippet of correct usage for future use
> 
> joe
> 
> 
This works on F10 Targeted policy

# python -c "import seobject; seobject.loginRecords().add("pwalsh",
"staff_u", "s0")
# python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'

Could it be a translation problem?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm4I80ACgkQrlYvE4MpobPITACgj0orf8wCagcwCJS0oPLnnlqP
oPQAoJfLLAn5mTAQ2uem/RFhZj4M3qqW
=rYfA
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Stephen Smalley]

On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Joe Nall wrote:
> > 
> > On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
> > 
> >> On 03/11/2009 12:15 PM, Joe Nall wrote:
> >>> I need to add login mappings in python firstboot modules during system
> >>> configuration. In my first module a simple:
> >>>
> >>> seobject.loginRecords().add(username, "siterep_u",
> >>> "SystemLow-SystemHigh")
> >>>
> >>> works. In subsequent modules, I get an exception:
> >>>
> >>> libsemanage.enter_rw: this operation requires a transaction
> >>> libsemanage.enter_rw: could not enter read-write section
> >>> Traceback (most recent call last):
> >>> File "./t", line 6, in <module>
> >>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
> >>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
> >>> raise error
> >>> ValueError: Could not add login mapping for test3
> >>>
> >>> What is the right way to do this?
> >>>
> >>> joe
> >>>
> >>>
> >>> -- 
> >>> This message was distributed to subscribers of the selinux mailing list.
> >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> >>> with
> >>> the words "unsubscribe selinux" without quotes as the message.
> >> Probably an MLS issue.  firtstboot is running in a context that is not
> >> allowed to lock/manage selinux.
> > 
> > I'm installing in permissive and switching to enforcing after firstboot.
> > You are correct that firstboot_t doesn't have the policy for all the
> > stuff I'm trying to do yet.
> > 
> >> You probably should exec semanage rather then calling seobject so you
> >> could do a transition and not have to give a huge app like first boot
> >> the ability to manage security policy.
> > 
> > That is what is installing right now. I would still like an
> > explanation/code snippet of correct usage for future use
> > 
> > joe
> > 
> > 
> This works on F10 Targeted policy
> 
> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
> "staff_u", "s0")
> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
> 
> Could it be a translation problem?

Try running multiple calls within the same python interpreter.
I think seobject.py isn't using libsemanage correctly.  For example, in
add(), you do:
                       self.begin()
                        self.__add(name, sename, serange)
                        self.commit()
but begin() only ever invokes semanage_begin_transaction() the very
first time:
       def begin(self):
               if self.transaction:
                      return
               rc = semanage_begin_transaction(self.sh)

So after the first commit(), you'll start failing.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2873 bytes --]

On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue.  firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly.  For example, in
> add(), you do:
>                         self.begin()
>                          self.__add(name, sename, serange)
>                          self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
>         def begin(self):
>                 if self.transaction:
>                        return
>                 rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 2408 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/semanage/semanage	2009-03-12 09:22:45.000000000 -0400
@@ -464,10 +464,10 @@
                       else:
                              fd = open(input, 'r')
                       trans = seobject.semanageRecords(store)
-                      trans.begin()
+                      trans.start()
                       for l in fd.readlines():
                              process_args(mkargv(l))
-                      trans.commit()
+                      trans.finish()
                else:
                       process_args(sys.argv[1:])
 			
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2008-11-14 17:10:15.000000000 -0500
+++ policycoreutils-2.0.62/semanage/seobject.py	2009-03-12 09:25:27.000000000 -0400
@@ -281,15 +281,20 @@
                global handle
                       
                if handle != None:
-                      self.transaction = True
                       self.sh = handle
                else:
                       self.sh=get_handle(store)
-                      self.transaction = False
+               self.transaction = False
 
         def deleteall(self):
                raise ValueError(_("Not yet implemented"))
 
+        def start(self):
+               if self.transaction:
+                      raise ValueError(_("Semanage transaction already in progress"))
+               self.begin()
+               self.transaction = True
+
         def begin(self):
                if self.transaction:
                       return
@@ -303,6 +308,12 @@
                if rc < 0:
                       raise ValueError(_("Could not commit semanage transaction"))
 
+        def finish(self):
+               if not self.transaction:
+                      raise ValueError(_("Semanage transaction not in progress"))
+               self.transaction = False
+               self.commit()
+
 class permissiveRecords(semanageRecords):
 	def __init__(self, store):
                semanageRecords.__init__(self, store)

Re: Help with python seobject.loginRecords

[Chad Sellers]

On 3/12/09 9:29 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> On 03/11/2009 05:00 PM, Stephen Smalley wrote:
>> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> Joe Nall wrote:
>>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>> 
>>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>>> I need to add login mappings in python firstboot modules during system
>>>>>> configuration. In my first module a simple:
>>>>>> 
>>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>>> "SystemLow-SystemHigh")
>>>>>> 
>>>>>> works. In subsequent modules, I get an exception:
>>>>>> 
>>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>>> Traceback (most recent call last):
>>>>>> File "./t", line 6, in<module>
>>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>>> raise error
>>>>>> ValueError: Could not add login mapping for test3
>>>>>> 
>>>>>> What is the right way to do this?
>>>>>> 
>>>>>> joe
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>> Probably an MLS issue.  firtstboot is running in a context that is not
>>>>> allowed to lock/manage selinux.
>>>> I'm installing in permissive and switching to enforcing after firstboot.
>>>> You are correct that firstboot_t doesn't have the policy for all the
>>>> stuff I'm trying to do yet.
>>>> 
>>>>> You probably should exec semanage rather then calling seobject so you
>>>>> could do a transition and not have to give a huge app like first boot
>>>>> the ability to manage security policy.
>>>> That is what is installing right now. I would still like an
>>>> explanation/code snippet of correct usage for future use
>>>> 
>>>> joe
>>>> 
>>>> 
>>> This works on F10 Targeted policy
>>> 
>>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>>> "staff_u", "s0")
>>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>> 
>>> Could it be a translation problem?
>> 
>> Try running multiple calls within the same python interpreter.
>> I think seobject.py isn't using libsemanage correctly.  For example, in
>> add(), you do:
>>                         self.begin()
>>                          self.__add(name, sename, serange)
>>                          self.commit()
>> but begin() only ever invokes semanage_begin_transaction() the very
>> first time:
>>         def begin(self):
>>                 if self.transaction:
>>                        return
>>                 rc = semanage_begin_transaction(self.sh)
>> 
>> So after the first commit(), you'll start failing.
>> 
> I think this patch fixes the transaction patch in semanage.

Patch looks good to me.

Acked-by: Chad Sellers <csellers@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Joshua Brindle]

Chad Sellers wrote:
> On 3/12/09 9:29 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
> 
>> On 03/11/2009 05:00 PM, Stephen Smalley wrote:
>>> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Joe Nall wrote:
>>>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>>>
>>>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>>>> I need to add login mappings in python firstboot modules during system
>>>>>>> configuration. In my first module a simple:
>>>>>>>
>>>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>>>> "SystemLow-SystemHigh")
>>>>>>>
>>>>>>> works. In subsequent modules, I get an exception:
>>>>>>>
>>>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>>>> Traceback (most recent call last):
>>>>>>> File "./t", line 6, in<module>
>>>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>>>> raise error
>>>>>>> ValueError: Could not add login mapping for test3
>>>>>>>
>>>>>>> What is the right way to do this?
>>>>>>>
>>>>>>> joe
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>>>> with
>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>> Probably an MLS issue.  firtstboot is running in a context that is not
>>>>>> allowed to lock/manage selinux.
>>>>> I'm installing in permissive and switching to enforcing after firstboot.
>>>>> You are correct that firstboot_t doesn't have the policy for all the
>>>>> stuff I'm trying to do yet.
>>>>>
>>>>>> You probably should exec semanage rather then calling seobject so you
>>>>>> could do a transition and not have to give a huge app like first boot
>>>>>> the ability to manage security policy.
>>>>> That is what is installing right now. I would still like an
>>>>> explanation/code snippet of correct usage for future use
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>> This works on F10 Targeted policy
>>>>
>>>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>>>> "staff_u", "s0")
>>>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>>>
>>>> Could it be a translation problem?
>>> Try running multiple calls within the same python interpreter.
>>> I think seobject.py isn't using libsemanage correctly.  For example, in
>>> add(), you do:
>>>                         self.begin()
>>>                          self.__add(name, sename, serange)
>>>                          self.commit()
>>> but begin() only ever invokes semanage_begin_transaction() the very
>>> first time:
>>>         def begin(self):
>>>                 if self.transaction:
>>>                        return
>>>                 rc = semanage_begin_transaction(self.sh)
>>>
>>> So after the first commit(), you'll start failing.
>>>
>> I think this patch fixes the transaction patch in semanage.
> 
> Patch looks good to me.
> 
> Acked-by: Chad Sellers <csellers@tresys.com>
> 

Merged in policycoreutils-2.0.63

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Help with python seobject.loginRecords

[Joe Nall]

On Mar 11, 2009, at 3:49 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joe Nall wrote:
>>
>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>
>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>> I need to add login mappings in python firstboot modules during  
>>>> system
>>>> configuration. In my first module a simple:
>>>>
>>>> seobject.loginRecords().add(username, "siterep_u",
>>>> "SystemLow-SystemHigh")
>>>>
>>>> works. In subsequent modules, I get an exception:
>>>>
>>>> libsemanage.enter_rw: this operation requires a transaction
>>>> libsemanage.enter_rw: could not enter read-write section
>>>> Traceback (most recent call last):
>>>> File "./t", line 6, in <module>
>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow- 
>>>> SystemHigh")
>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442,  
>>>> in add
>>>> raise error
>>>> ValueError: Could not add login mapping for test3
>>>>
>>>> What is the right way to do this?
>>>>
>>>> joe
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux  
>>>> mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>> Probably an MLS issue.  firtstboot is running in a context that is  
>>> not
>>> allowed to lock/manage selinux.
>>
>> I'm installing in permissive and switching to enforcing after  
>> firstboot.
>> You are correct that firstboot_t doesn't have the policy for all the
>> stuff I'm trying to do yet.
>>
>>> You probably should exec semanage rather then calling seobject so  
>>> you
>>> could do a transition and not have to give a huge app like first  
>>> boot
>>> the ability to manage security policy.
>>
>> That is what is installing right now. I would still like an
>> explanation/code snippet of correct usage for future use
>>
>> joe
>>
>>
> This works on F10 Targeted policy
>
> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
> "staff_u", "s0")
> # python -c 'import seobject;  
> seobject.loginRecords().delete("pwalsh")'
>
> Could it be a translation problem?

I don't think so, mcstrans is installed and running at this point in  
the install. Try this, sometimes it works, sometimes it fails with:

[joe@fast firstboot]$ sudo ./t
libsemanage.enter_rw: this operation requires a transaction
libsemanage.enter_rw: could not enter read-write section
Traceback (most recent call last):
   File "./t", line 7, in <module>
     seobject.loginRecords().delete("pwalsh")
   File "/usr/lib64/python2.5/site-packages/seobject.py", line 526, in  
delete
     raise error
ValueError: Could not delete login mapping for pwalsh

------------

#!/usr/bin/python

import seobject

seobject.loginRecords().add("pwalsh", "staff_u", "s0")

seobject.loginRecords().delete("pwalsh")

seobject.loginRecords().add("pwalsh", "staff_u", "s0")

seobject.loginRecords().delete("pwalsh")

joe



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.