Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

On 10/14/2016 08:52 PM, Dominick Grift wrote:
> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>> When a non-MLS policy was used with genhomedircon context_from_record()
>> in sepol would report an error because an MLS level was present when MLS
>> is disabled.  Based on a patch by Gary Tierney, amended to use
>> sepol_policydb_mls_enabled rather than semanage_mls_enabled because
>> we are testing the temporary working policy, not the active policy.
>>
>> Reported-by: Jason Zaman <ja...@perfinion.com>
>> Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
>> ---
>>  libsemanage/src/genhomedircon.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c 
>> b/libsemanage/src/genhomedircon.c
>> index 6991fff..5e9d722 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, 
>> FILE *out,
>>                      goto fail;
>>              }
>>  
>> -            if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
>> +            if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
>> +                    goto fail;
>> +            }
>> +
>> +            if (sepol_policydb_mls_enabled(s->policydb) &&
>>                  sepol_context_set_mls(sepolh, context, user->level) < 0) {
>>                      goto fail;
>>              }
>>
> 
> I could not get this to work:
> 
> libsemanage.validate_handler: seuser mapping [kcinimod -> (wheel.id,
> s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such
> file or directory)
> semodule: failed!
> 

for reference:

https://www.youtube.com/watch?v=yUAikbw5BSQ

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.