* MLS required even when MLS is disabled? @ 2013-11-25 20:12 Sven Vermeulen 2013-11-25 20:21 ` Stephen Smalley 2013-11-25 21:18 ` Daniel J Walsh 0 siblings, 2 replies; 7+ messages in thread From: Sven Vermeulen @ 2013-11-25 20:12 UTC (permalink / raw) To: selinux Hi all I have a report that mentions that the new userspace release does not like non-MLS policies: # semanage fcontext -a -t swapfile_t "/swapfile" libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). OSError: Invalid argument # semanage login -a -s staff_u amade libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory). libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). OSError: No such file or directory Any idea what could be the cause of this? Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen @ 2013-11-25 20:21 ` Stephen Smalley 2013-11-26 19:08 ` Stephen Smalley 2013-11-25 21:18 ` Daniel J Walsh 1 sibling, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2013-11-25 20:21 UTC (permalink / raw) To: Sven Vermeulen, selinux, Daniel J Walsh [-- Attachment #1: Type: text/plain, Size: 1144 bytes --] On 11/25/2013 03:12 PM, Sven Vermeulen wrote: > Hi all > > I have a report that mentions that the new userspace release does not like > non-MLS policies: > > # semanage fcontext -a -t swapfile_t "/swapfile" > libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory). > libsepol.context_from_record: could not create context structure (Invalid argument). > libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument). > libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). > OSError: Invalid argument > > # semanage login -a -s staff_u amade > libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory). > libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory). > libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). > OSError: No such file or directory > > Any idea what could be the cause of this? Probably this one. [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-If-users-of-seobject-set-serange-or-seuser-to-we-nee.patch --] [-- Type: text/x-patch; name="0001-If-users-of-seobject-set-serange-or-seuser-to-we-nee.patch", Size: 0 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-11-25 20:21 ` Stephen Smalley @ 2013-11-26 19:08 ` Stephen Smalley 2013-12-08 13:22 ` Sven Vermeulen 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2013-11-26 19:08 UTC (permalink / raw) To: Sven Vermeulen, selinux, Daniel J Walsh On 11/25/2013 03:21 PM, Stephen Smalley wrote: > On 11/25/2013 03:12 PM, Sven Vermeulen wrote: >> Hi all >> >> I have a report that mentions that the new userspace release does not like >> non-MLS policies: >> >> # semanage fcontext -a -t swapfile_t "/swapfile" >> libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory). >> libsepol.context_from_record: could not create context structure (Invalid argument). >> libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument). >> libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). >> OSError: Invalid argument >> >> # semanage login -a -s staff_u amade >> libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory). >> libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory). >> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). >> OSError: No such file or directory >> >> Any idea what could be the cause of this? > > Probably this one. Reverted. Pushed as policycoreutils-2.2.4. Will accept a new patch on next that does it conditionally under the mls enabled case. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-11-26 19:08 ` Stephen Smalley @ 2013-12-08 13:22 ` Sven Vermeulen 2013-12-09 13:51 ` Daniel J Walsh 2013-12-09 14:09 ` Stephen Smalley 0 siblings, 2 replies; 7+ messages in thread From: Sven Vermeulen @ 2013-12-08 13:22 UTC (permalink / raw) To: Stephen Smalley; +Cc: Sven Vermeulen, selinux, Daniel J Walsh On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote: > Reverted. Pushed as policycoreutils-2.2.4. > Will accept a new patch on next that does it conditionally under the mls > enabled case. Another issue related to this one is that, when semanage is called, it sets the MLS level (s0) and range (s0) as default. This still triggers the MLS warning. """ def parser_add_level(parser, name): parser.add_argument('-L', '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)')) def parser_add_range(parser, name): parser.add_argument('-r', '--range', default="s0", help=_(''' """ With policycoreutils-2.2.4: """ # semanage port -a -t ssh_port_t -p tcp 2222 libsepol.context_from_record: MLS is disabled, but MLS context "s0" found libsepol.context_from_record: could not create context structure (Invalid argument). libsepol.port_from_record: could not create port structure for range 2222:2222 (tcp) (Invalid argument). libsepol.sepol_port_modify: could not load port range 2222 - 2222 (tcp) (Invalid argument). libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument). libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument). OSError: Invalid argument """ If I explicitly mark the range as empty, it works: """ # semanage port -a -t ssh_port_t -p tcp 2222 -r "" # echo $? 0 """ Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-12-08 13:22 ` Sven Vermeulen @ 2013-12-09 13:51 ` Daniel J Walsh 2013-12-09 14:09 ` Stephen Smalley 1 sibling, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2013-12-09 13:51 UTC (permalink / raw) To: Sven Vermeulen, Stephen Smalley; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/2013 08:22 AM, Sven Vermeulen wrote: > On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote: >> Reverted. Pushed as policycoreutils-2.2.4. Will accept a new patch on >> next that does it conditionally under the mls enabled case. > > Another issue related to this one is that, when semanage is called, it > sets the MLS level (s0) and range (s0) as default. This still triggers the > MLS warning. > > """ def parser_add_level(parser, name): parser.add_argument('-L', > '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 > Default. (MLS/MCS Systems only)')) def parser_add_range(parser, name): > parser.add_argument('-r', '--range', default="s0", help=_(''' """ > > With policycoreutils-2.2.4: > > """ # semanage port -a -t ssh_port_t -p tcp 2222 > libsepol.context_from_record: MLS is disabled, but MLS context "s0" found > libsepol.context_from_record: could not create context structure (Invalid > argument). libsepol.port_from_record: could not create port structure for > range 2222:2222 (tcp) (Invalid argument). libsepol.sepol_port_modify: could > not load port range 2222 - 2222 (tcp) (Invalid argument). > libsemanage.dbase_policydb_modify: could not modify record value (Invalid > argument). libsemanage.semanage_base_merge_components: could not merge > local modifications into policy (Invalid argument). OSError: Invalid > argument """ > > If I explicitly mark the range as empty, it works: > > """ # semanage port -a -t ssh_port_t -p tcp 2222 -r "" # echo $? 0 """ > > Wkr, Sven Vermeulen > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes > as the message. > Can you submit a patch to seobject.py which tells it to ignore the level flags when MLS is disabled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKlyusACgkQrlYvE4MpobPW4wCg0xj9AXNAh7C5tfMzF+LFoam5 9sEAoMwRIo8yFHZ899M80OKBTEEVrxLx =fL38 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-12-08 13:22 ` Sven Vermeulen 2013-12-09 13:51 ` Daniel J Walsh @ 2013-12-09 14:09 ` Stephen Smalley 1 sibling, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2013-12-09 14:09 UTC (permalink / raw) To: Sven Vermeulen; +Cc: selinux, Daniel J Walsh On 12/08/2013 08:22 AM, Sven Vermeulen wrote: > On Tue, Nov 26, 2013 at 02:08:52PM -0500, Stephen Smalley wrote: >> Reverted. Pushed as policycoreutils-2.2.4. >> Will accept a new patch on next that does it conditionally under the mls >> enabled case. > > Another issue related to this one is that, when semanage is called, it sets > the MLS level (s0) and range (s0) as default. This still triggers the MLS > warning. > > """ > def parser_add_level(parser, name): > parser.add_argument('-L', '--level', default='s0', help=_('Default > SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)')) > def parser_add_range(parser, name): > parser.add_argument('-r', '--range', default="s0", > help=_(''' > """ > > With policycoreutils-2.2.4: > > """ > # semanage port -a -t ssh_port_t -p tcp 2222 > libsepol.context_from_record: MLS is disabled, but MLS context "s0" found > libsepol.context_from_record: could not create context structure (Invalid argument). > libsepol.port_from_record: could not create port structure for range 2222:2222 (tcp) (Invalid argument). > libsepol.sepol_port_modify: could not load port range 2222 - 2222 (tcp) (Invalid argument). > libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument). > libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument). > OSError: Invalid argument > """ > > If I explicitly mark the range as empty, it works: > > """ > # semanage port -a -t ssh_port_t -p tcp 2222 -r "" > # echo $? > 0 > """ Since you seem to have non-MLS policies readily available for testing, can you try a simple fix to take all of this initialization under a conditional based on whether MLS is enabled? Unfortunately this is otherwise difficult to test on Fedora as they always enable MLS either for MCS or MLS. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: MLS required even when MLS is disabled? 2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen 2013-11-25 20:21 ` Stephen Smalley @ 2013-11-25 21:18 ` Daniel J Walsh 1 sibling, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2013-11-25 21:18 UTC (permalink / raw) To: Sven Vermeulen, selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/25/2013 03:12 PM, Sven Vermeulen wrote: > Hi all > > I have a report that mentions that the new userspace release does not like > non-MLS policies: > > # semanage fcontext -a -t swapfile_t "/swapfile" > libsepol.context_from_record: MLS is disabled, but MLS context "s0" found > (No such file or directory). libsepol.context_from_record: could not create > context structure (Invalid argument). libsemanage.validate_handler: invalid > context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] > (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over > records (Invalid argument). OSError: Invalid argument > > # semanage login -a -s staff_u amade libsemanage.validate_handler: MLS is > disabled, but MLS range s0 was found for Unix user amade (No such file or > directory). libsemanage.validate_handler: seuser mapping [amade -> > (staff_u, s0)] is invalid (No such file or directory). > libsemanage.dbase_llist_iterate: could not iterate over records (No such > file or directory). OSError: No such file or directory > Could be a bug in seobject.py > Any idea what could be the cause of this? > > Wkr, Sven Vermeulen > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes > as the message. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTvo8ACgkQrlYvE4MpobOVVQCfeXvUI7+sK593FWbKN+XKXT0t xDcAoKdwwXC/Dy+HRGlzQh7NiYajGzvt =/GoP -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-12-09 14:09 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-11-25 20:12 MLS required even when MLS is disabled? Sven Vermeulen 2013-11-25 20:21 ` Stephen Smalley 2013-11-26 19:08 ` Stephen Smalley 2013-12-08 13:22 ` Sven Vermeulen 2013-12-09 13:51 ` Daniel J Walsh 2013-12-09 14:09 ` Stephen Smalley 2013-11-25 21:18 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.