* MLS required even when MLS is disabled?
@ 2013-11-25 20:12 Sven Vermeulen
2013-11-25 20:21 ` Stephen Smalley
2013-11-25 21:18 ` Daniel J Walsh
0 siblings, 2 replies; 7+ messages in thread
From: Sven Vermeulen @ 2013-11-25 20:12 UTC (permalink / raw)
To: selinux
Hi all
I have a report that mentions that the new userspace release does not like
non-MLS policies:
# semanage fcontext -a -t swapfile_t "/swapfile"
libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
OSError: Invalid argument
# semanage login -a -s staff_u amade
libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory).
libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory
Any idea what could be the cause of this?
Wkr,
Sven Vermeulen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen
@ 2013-11-25 20:21 ` Stephen Smalley
2013-11-26 19:08 ` Stephen Smalley
2013-11-25 21:18 ` Daniel J Walsh
1 sibling, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2013-11-25 20:21 UTC (permalink / raw)
To: Sven Vermeulen, selinux, Daniel J Walsh
[-- Attachment #1: Type: text/plain, Size: 1144 bytes --]
On 11/25/2013 03:12 PM, Sven Vermeulen wrote:
> Hi all
>
> I have a report that mentions that the new userspace release does not like
> non-MLS policies:
>
> # semanage fcontext -a -t swapfile_t "/swapfile"
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory).
> libsepol.context_from_record: could not create context structure (Invalid argument).
> libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument).
> libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
> OSError: Invalid argument
>
> # semanage login -a -s staff_u amade
> libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory).
> libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> OSError: No such file or directory
>
> Any idea what could be the cause of this?
Probably this one.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-If-users-of-seobject-set-serange-or-seuser-to-we-nee.patch --]
[-- Type: text/x-patch; name="0001-If-users-of-seobject-set-serange-or-seuser-to-we-nee.patch", Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen
2013-11-25 20:21 ` Stephen Smalley
@ 2013-11-25 21:18 ` Daniel J Walsh
1 sibling, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2013-11-25 21:18 UTC (permalink / raw)
To: Sven Vermeulen, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/25/2013 03:12 PM, Sven Vermeulen wrote:
> Hi all
>
> I have a report that mentions that the new userspace release does not like
> non-MLS policies:
>
> # semanage fcontext -a -t swapfile_t "/swapfile"
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found
> (No such file or directory). libsepol.context_from_record: could not create
> context structure (Invalid argument). libsemanage.validate_handler: invalid
> context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files]
> (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over
> records (Invalid argument). OSError: Invalid argument
>
> # semanage login -a -s staff_u amade libsemanage.validate_handler: MLS is
> disabled, but MLS range s0 was found for Unix user amade (No such file or
> directory). libsemanage.validate_handler: seuser mapping [amade ->
> (staff_u, s0)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such
> file or directory). OSError: No such file or directory
>
Could be a bug in seobject.py
> Any idea what could be the cause of this?
>
> Wkr, Sven Vermeulen
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKTvo8ACgkQrlYvE4MpobOVVQCfeXvUI7+sK593FWbKN+XKXT0t
xDcAoKdwwXC/Dy+HRGlzQh7NiYajGzvt
=/GoP
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-11-25 20:21 ` Stephen Smalley
@ 2013-11-26 19:08 ` Stephen Smalley
2013-12-08 13:22 ` Sven Vermeulen
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2013-11-26 19:08 UTC (permalink / raw)
To: Sven Vermeulen, selinux, Daniel J Walsh
On 11/25/2013 03:21 PM, Stephen Smalley wrote:
> On 11/25/2013 03:12 PM, Sven Vermeulen wrote:
>> Hi all
>>
>> I have a report that mentions that the new userspace release does not like
>> non-MLS policies:
>>
>> # semanage fcontext -a -t swapfile_t "/swapfile"
>> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory).
>> libsepol.context_from_record: could not create context structure (Invalid argument).
>> libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument).
>> libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
>> OSError: Invalid argument
>>
>> # semanage login -a -s staff_u amade
>> libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory).
>> libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory).
>> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
>> OSError: No such file or directory
>>
>> Any idea what could be the cause of this?
>
> Probably this one.
Reverted. Pushed as policycoreutils-2.2.4.
Will accept a new patch on next that does it conditionally under the mls
enabled case.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-11-26 19:08 ` Stephen Smalley
@ 2013-12-08 13:22 ` Sven Vermeulen
2013-12-09 13:51 ` Daniel J Walsh
2013-12-09 14:09 ` Stephen Smalley
0 siblings, 2 replies; 7+ messages in thread
From: Sven Vermeulen @ 2013-12-08 13:22 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Sven Vermeulen, selinux, Daniel J Walsh
On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote:
> Reverted. Pushed as policycoreutils-2.2.4.
> Will accept a new patch on next that does it conditionally under the mls
> enabled case.
Another issue related to this one is that, when semanage is called, it sets
the MLS level (s0) and range (s0) as default. This still triggers the MLS
warning.
"""
def parser_add_level(parser, name):
parser.add_argument('-L', '--level', default='s0', help=_('Default
SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)'))
def parser_add_range(parser, name):
parser.add_argument('-r', '--range', default="s0",
help=_('''
"""
With policycoreutils-2.2.4:
"""
# semanage port -a -t ssh_port_t -p tcp 2222
libsepol.context_from_record: MLS is disabled, but MLS context "s0" found
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 2222:2222 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 2222 - 2222 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
OSError: Invalid argument
"""
If I explicitly mark the range as empty, it works:
"""
# semanage port -a -t ssh_port_t -p tcp 2222 -r ""
# echo $?
0
"""
Wkr,
Sven Vermeulen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-12-08 13:22 ` Sven Vermeulen
@ 2013-12-09 13:51 ` Daniel J Walsh
2013-12-09 14:09 ` Stephen Smalley
1 sibling, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2013-12-09 13:51 UTC (permalink / raw)
To: Sven Vermeulen, Stephen Smalley; +Cc: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/08/2013 08:22 AM, Sven Vermeulen wrote:
> On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote:
>> Reverted. Pushed as policycoreutils-2.2.4. Will accept a new patch on
>> next that does it conditionally under the mls enabled case.
>
> Another issue related to this one is that, when semanage is called, it
> sets the MLS level (s0) and range (s0) as default. This still triggers the
> MLS warning.
>
> """ def parser_add_level(parser, name): parser.add_argument('-L',
> '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0
> Default. (MLS/MCS Systems only)')) def parser_add_range(parser, name):
> parser.add_argument('-r', '--range', default="s0", help=_(''' """
>
> With policycoreutils-2.2.4:
>
> """ # semanage port -a -t ssh_port_t -p tcp 2222
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found
> libsepol.context_from_record: could not create context structure (Invalid
> argument). libsepol.port_from_record: could not create port structure for
> range 2222:2222 (tcp) (Invalid argument). libsepol.sepol_port_modify: could
> not load port range 2222 - 2222 (tcp) (Invalid argument).
> libsemanage.dbase_policydb_modify: could not modify record value (Invalid
> argument). libsemanage.semanage_base_merge_components: could not merge
> local modifications into policy (Invalid argument). OSError: Invalid
> argument """
>
> If I explicitly mark the range as empty, it works:
>
> """ # semanage port -a -t ssh_port_t -p tcp 2222 -r "" # echo $? 0 """
>
> Wkr, Sven Vermeulen
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
Can you submit a patch to seobject.py which tells it to ignore the level flags
when MLS is disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKlyusACgkQrlYvE4MpobPW4wCg0xj9AXNAh7C5tfMzF+LFoam5
9sEAoMwRIo8yFHZ899M80OKBTEEVrxLx
=fL38
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled?
2013-12-08 13:22 ` Sven Vermeulen
2013-12-09 13:51 ` Daniel J Walsh
@ 2013-12-09 14:09 ` Stephen Smalley
1 sibling, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2013-12-09 14:09 UTC (permalink / raw)
To: Sven Vermeulen; +Cc: selinux, Daniel J Walsh
On 12/08/2013 08:22 AM, Sven Vermeulen wrote:
> On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote:
>> Reverted. Pushed as policycoreutils-2.2.4.
>> Will accept a new patch on next that does it conditionally under the mls
>> enabled case.
>
> Another issue related to this one is that, when semanage is called, it sets
> the MLS level (s0) and range (s0) as default. This still triggers the MLS
> warning.
>
> """
> def parser_add_level(parser, name):
> parser.add_argument('-L', '--level', default='s0', help=_('Default
> SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)'))
> def parser_add_range(parser, name):
> parser.add_argument('-r', '--range', default="s0",
> help=_('''
> """
>
> With policycoreutils-2.2.4:
>
> """
> # semanage port -a -t ssh_port_t -p tcp 2222
> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found
> libsepol.context_from_record: could not create context structure (Invalid argument).
> libsepol.port_from_record: could not create port structure for range 2222:2222 (tcp) (Invalid argument).
> libsepol.sepol_port_modify: could not load port range 2222 - 2222 (tcp) (Invalid argument).
> libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
> libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
> OSError: Invalid argument
> """
>
> If I explicitly mark the range as empty, it works:
>
> """
> # semanage port -a -t ssh_port_t -p tcp 2222 -r ""
> # echo $?
> 0
> """
Since you seem to have non-MLS policies readily available for testing,
can you try a simple fix to take all of this initialization
under a conditional based on whether MLS is enabled? Unfortunately this
is otherwise difficult to test on Fedora as they always enable MLS
either for MCS or MLS.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-12-09 14:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen
2013-11-25 20:21 ` Stephen Smalley
2013-11-26 19:08 ` Stephen Smalley
2013-12-08 13:22 ` Sven Vermeulen
2013-12-09 13:51 ` Daniel J Walsh
2013-12-09 14:09 ` Stephen Smalley
2013-11-25 21:18 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.