From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4A117E83.8090903@manicmethod.com> Date: Mon, 18 May 2009 11:28:03 -0400 From: Joshua Brindle MIME-Version: 1.0 To: Chad Sellers CC: Daniel J Walsh , Stephen Smalley , Joe Nall , SELinux List , Joshua Brindle Subject: Re: Help with python seobject.loginRecords References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Chad Sellers wrote: > On 3/12/09 9:29 AM, "Daniel J Walsh" wrote: > >> On 03/11/2009 05:00 PM, Stephen Smalley wrote: >>> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Joe Nall wrote: >>>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote: >>>>> >>>>>> On 03/11/2009 12:15 PM, Joe Nall wrote: >>>>>>> I need to add login mappings in python firstboot modules during system >>>>>>> configuration. In my first module a simple: >>>>>>> >>>>>>> seobject.loginRecords().add(username, "siterep_u", >>>>>>> "SystemLow-SystemHigh") >>>>>>> >>>>>>> works. In subsequent modules, I get an exception: >>>>>>> >>>>>>> libsemanage.enter_rw: this operation requires a transaction >>>>>>> libsemanage.enter_rw: could not enter read-write section >>>>>>> Traceback (most recent call last): >>>>>>> File "./t", line 6, in >>>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh") >>>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add >>>>>>> raise error >>>>>>> ValueError: Could not add login mapping for test3 >>>>>>> >>>>>>> What is the right way to do this? >>>>>>> >>>>>>> joe >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>>>>>> with >>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>> Probably an MLS issue. firtstboot is running in a context that is not >>>>>> allowed to lock/manage selinux. >>>>> I'm installing in permissive and switching to enforcing after firstboot. >>>>> You are correct that firstboot_t doesn't have the policy for all the >>>>> stuff I'm trying to do yet. >>>>> >>>>>> You probably should exec semanage rather then calling seobject so you >>>>>> could do a transition and not have to give a huge app like first boot >>>>>> the ability to manage security policy. >>>>> That is what is installing right now. I would still like an >>>>> explanation/code snippet of correct usage for future use >>>>> >>>>> joe >>>>> >>>>> >>>> This works on F10 Targeted policy >>>> >>>> # python -c "import seobject; seobject.loginRecords().add("pwalsh", >>>> "staff_u", "s0") >>>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")' >>>> >>>> Could it be a translation problem? >>> Try running multiple calls within the same python interpreter. >>> I think seobject.py isn't using libsemanage correctly. For example, in >>> add(), you do: >>> self.begin() >>> self.__add(name, sename, serange) >>> self.commit() >>> but begin() only ever invokes semanage_begin_transaction() the very >>> first time: >>> def begin(self): >>> if self.transaction: >>> return >>> rc = semanage_begin_transaction(self.sh) >>> >>> So after the first commit(), you'll start failing. >>> >> I think this patch fixes the transaction patch in semanage. > > Patch looks good to me. > > Acked-by: Chad Sellers > Merged in policycoreutils-2.0.63 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.