On 10/14/2016 02:58 PM, Dominick Grift wrote:
> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>> When a non-MLS policy was used with genhomedircon
>>> context_from_record() in sepol would report an error because an
>>> MLS level was present when MLS is disabled.  Based on a patch
>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>> rather than semanage_mls_enabled because we are testing the
>>> temporary working policy, not the active policy.
>>> 
>>> Reported-by: Jason Zaman <ja...@perfinion.com> Signed-off-by:
>>> Stephen Smalley <s...@tycho.nsa.gov> --- 
>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>> insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/libsemanage/src/genhomedircon.c
>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>> fail; }
>>> 
>>> -           if (sepol_context_set_user(sepolh, context, user->sename) <
>>> 0 || +              if (sepol_context_set_user(sepolh, context,
>>> user->sename) < 0) { +                      goto fail; +            } + +   
>>>         if
>>> (sepol_policydb_mls_enabled(s->policydb) && 
>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>> fail; }
>>> 
>> 
>> I could not get this to work:
>> 
>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>> directory). libsemanage.dbase_llist_iterate: could not iterate
>> over records (No such file or directory) semodule: failed!
>> 
> 
> for reference:
> 
> https://www.youtube.com/watch?v=yUAikbw5BSQ

Not sure about that, but with this patch, I could successfully do the
following:
$ cd refpolicy
$ make conf
$ make
$ sudo make install
$ sudo make load

And genhomedircon ran without complaint, and I have the expected
entries in file_contexts.homedirs.
That's with the standard policy.
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to