[PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Stephen Smalley]

When a non-MLS policy was used with genhomedircon context_from_record()
in sepol would report an error because an MLS level was present when MLS
is disabled.  Based on a patch by Gary Tierney, amended to use
sepol_policydb_mls_enabled rather than semanage_mls_enabled because
we are testing the temporary working policy, not the active policy.

Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 libsemanage/src/genhomedircon.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 6991fff..5e9d722 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
 			goto fail;
 		}
 
-		if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
+		if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
+			goto fail;
+		}
+
+		if (sepol_policydb_mls_enabled(s->policydb) &&
 		    sepol_context_set_mls(sepolh, context, user->level) < 0) {
 			goto fail;
 		}
-- 
2.7.4

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 1710 bytes --]

On 10/14/2016 07:40 PM, Stephen Smalley wrote:
> When a non-MLS policy was used with genhomedircon context_from_record()
> in sepol would report an error because an MLS level was present when MLS
> is disabled.  Based on a patch by Gary Tierney, amended to use
> sepol_policydb_mls_enabled rather than semanage_mls_enabled because
> we are testing the temporary working policy, not the active policy.
> 
> Reported-by: Jason Zaman <jason@perfinion.com>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  libsemanage/src/genhomedircon.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 6991fff..5e9d722 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
>  			goto fail;
>  		}
>  
> -		if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
> +		if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
> +			goto fail;
> +		}
> +
> +		if (sepol_policydb_mls_enabled(s->policydb) &&
>  		    sepol_context_set_mls(sepolh, context, user->level) < 0) {
>  			goto fail;
>  		}
> 

I could not get this to work:

libsemanage.validate_handler: seuser mapping [kcinimod -> (wheel.id,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory)
semodule: failed!

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 1871 bytes --]

On 10/14/2016 08:52 PM, Dominick Grift wrote:
> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>> When a non-MLS policy was used with genhomedircon context_from_record()
>> in sepol would report an error because an MLS level was present when MLS
>> is disabled.  Based on a patch by Gary Tierney, amended to use
>> sepol_policydb_mls_enabled rather than semanage_mls_enabled because
>> we are testing the temporary working policy, not the active policy.
>>
>> Reported-by: Jason Zaman <jason@perfinion.com>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>  libsemanage/src/genhomedircon.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
>> index 6991fff..5e9d722 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -638,7 +638,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
>>  			goto fail;
>>  		}
>>  
>> -		if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
>> +		if (sepol_context_set_user(sepolh, context, user->sename) < 0) {
>> +			goto fail;
>> +		}
>> +
>> +		if (sepol_policydb_mls_enabled(s->policydb) &&
>>  		    sepol_context_set_mls(sepolh, context, user->level) < 0) {
>>  			goto fail;
>>  		}
>>
> 
> I could not get this to work:
> 
> libsemanage.validate_handler: seuser mapping [kcinimod -> (wheel.id,
> s0-s0:c0.c1023)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such
> file or directory)
> semodule: failed!
> 

for reference:

https://www.youtube.com/watch?v=yUAikbw5BSQ

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Stephen Smalley]

On 10/14/2016 02:52 PM, Dominick Grift wrote:
> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>> When a non-MLS policy was used with genhomedircon
>> context_from_record() in sepol would report an error because an
>> MLS level was present when MLS is disabled.  Based on a patch by
>> Gary Tierney, amended to use sepol_policydb_mls_enabled rather
>> than semanage_mls_enabled because we are testing the temporary
>> working policy, not the active policy.
>> 
>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>> Stephen Smalley <sds@tycho.nsa.gov> --- 
>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>> insertions(+), 1 deletion(-)
>> 
>> diff --git a/libsemanage/src/genhomedircon.c
>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722 100644 
>> --- a/libsemanage/src/genhomedircon.c +++
>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static int
>> write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>> fail; }
>> 
>> -		if (sepol_context_set_user(sepolh, context, user->sename) < 0
>> || +		if (sepol_context_set_user(sepolh, context, user->sename) <
>> 0) { +			goto fail; +		} + +		if
>> (sepol_policydb_mls_enabled(s->policydb) && 
>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>> fail; }
>> 
> 
> I could not get this to work:
> 
> libsemanage.validate_handler: seuser mapping [kcinimod ->
> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
> directory). libsemanage.dbase_llist_iterate: could not iterate over
> records (No such file or directory) semodule: failed!

I don't see what that error has to do with the patch in question.
Is this a separate problem with using non-MLS policies?

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Stephen Smalley]

On 10/14/2016 02:58 PM, Dominick Grift wrote:
> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>> When a non-MLS policy was used with genhomedircon
>>> context_from_record() in sepol would report an error because an
>>> MLS level was present when MLS is disabled.  Based on a patch
>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>> rather than semanage_mls_enabled because we are testing the
>>> temporary working policy, not the active policy.
>>> 
>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>> Stephen Smalley <sds@tycho.nsa.gov> --- 
>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>> insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/libsemanage/src/genhomedircon.c
>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>> fail; }
>>> 
>>> -		if (sepol_context_set_user(sepolh, context, user->sename) <
>>> 0 || +		if (sepol_context_set_user(sepolh, context,
>>> user->sename) < 0) { +			goto fail; +		} + +		if
>>> (sepol_policydb_mls_enabled(s->policydb) && 
>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>> fail; }
>>> 
>> 
>> I could not get this to work:
>> 
>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>> directory). libsemanage.dbase_llist_iterate: could not iterate
>> over records (No such file or directory) semodule: failed!
>> 
> 
> for reference:
> 
> https://www.youtube.com/watch?v=yUAikbw5BSQ

Not sure about that, but with this patch, I could successfully do the
following:
$ cd refpolicy
$ make conf
$ make
$ sudo make install
$ sudo make load

And genhomedircon ran without complaint, and I have the expected
entries in file_contexts.homedirs.
That's with the standard policy.

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 2462 bytes --]

On 10/14/2016 09:08 PM, Stephen Smalley wrote:
> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>> When a non-MLS policy was used with genhomedircon
>>>> context_from_record() in sepol would report an error because an
>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>> rather than semanage_mls_enabled because we are testing the
>>>> temporary working policy, not the active policy.
>>>>
>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>> Stephen Smalley <sds@tycho.nsa.gov> --- 
>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>> insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>> fail; }
>>>>
>>>> -		if (sepol_context_set_user(sepolh, context, user->sename) <
>>>> 0 || +		if (sepol_context_set_user(sepolh, context,
>>>> user->sename) < 0) { +			goto fail; +		} + +		if
>>>> (sepol_policydb_mls_enabled(s->policydb) && 
>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>> fail; }
>>>>
>>>
>>> I could not get this to work:
>>>
>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>> over records (No such file or directory) semodule: failed!
>>>
>>
>> for reference:
>>
>> https://www.youtube.com/watch?v=yUAikbw5BSQ
> 
> Not sure about that, but with this patch, I could successfully do the
> following:
> $ cd refpolicy
> $ make conf
> $ make
> $ sudo make install
> $ sudo make load
> 
> And genhomedircon ran without complaint, and I have the expected
> entries in file_contexts.homedirs.
> That's with the standard policy.
> 

Ok thats good enough for me. I admit i just upgraded my systems, and
made major changes to my policy so it may just be me.


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 3026 bytes --]

On 10/14/2016 09:09 PM, Dominick Grift wrote:
> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>> When a non-MLS policy was used with genhomedircon
>>>>> context_from_record() in sepol would report an error because an
>>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>> rather than semanage_mls_enabled because we are testing the
>>>>> temporary working policy, not the active policy.
>>>>>
>>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>>> Stephen Smalley <sds@tycho.nsa.gov> --- 
>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>> insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>> fail; }
>>>>>
>>>>> -		if (sepol_context_set_user(sepolh, context, user->sename) <
>>>>> 0 || +		if (sepol_context_set_user(sepolh, context,
>>>>> user->sename) < 0) { +			goto fail; +		} + +		if
>>>>> (sepol_policydb_mls_enabled(s->policydb) && 
>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>> fail; }
>>>>>
>>>>
>>>> I could not get this to work:
>>>>
>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>> over records (No such file or directory) semodule: failed!
>>>>
>>>
>>> for reference:
>>>
>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>
>> Not sure about that, but with this patch, I could successfully do the
>> following:
>> $ cd refpolicy
>> $ make conf
>> $ make
>> $ sudo make install
>> $ sudo make load
>>
>> And genhomedircon ran without complaint, and I have the expected
>> entries in file_contexts.homedirs.
>> That's with the standard policy.
>>
> 
> Ok thats good enough for me. I admit i just upgraded my systems, and
> made major changes to my policy so it may just be me.
> 
> 

I might just be wrong though but i think it has to do with how cil
allows you deal with seusers in policy (defaultselinuxuser and selinuxuser)

I think that is where it conflicts. basically i suspect that it hasnt
dealt with generating the seusers file yet. and so it looks there and
sees a range in a non mcs policy.

So i suspect that this is an issue, its just not a noticable with
refpolicy becuase refpolicy copies its own seusers file

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 3342 bytes --]

On 10/14/2016 09:17 PM, Dominick Grift wrote:
> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>> context_from_record() in sepol would report an error because an
>>>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>> temporary working policy, not the active policy.
>>>>>>
>>>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>>>> Stephen Smalley <sds@tycho.nsa.gov> --- 
>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>> insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>> fail; }
>>>>>>
>>>>>> -		if (sepol_context_set_user(sepolh, context, user->sename) <
>>>>>> 0 || +		if (sepol_context_set_user(sepolh, context,
>>>>>> user->sename) < 0) { +			goto fail; +		} + +		if
>>>>>> (sepol_policydb_mls_enabled(s->policydb) && 
>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>> fail; }
>>>>>>
>>>>>
>>>>> I could not get this to work:
>>>>>
>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>> over records (No such file or directory) semodule: failed!
>>>>>
>>>>
>>>> for reference:
>>>>
>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>
>>> Not sure about that, but with this patch, I could successfully do the
>>> following:
>>> $ cd refpolicy
>>> $ make conf
>>> $ make
>>> $ sudo make install
>>> $ sudo make load
>>>
>>> And genhomedircon ran without complaint, and I have the expected
>>> entries in file_contexts.homedirs.
>>> That's with the standard policy.
>>>
>>
>> Ok thats good enough for me. I admit i just upgraded my systems, and
>> made major changes to my policy so it may just be me.
>>
>>
> 
> I might just be wrong though but i think it has to do with how cil
> allows you deal with seusers in policy (defaultselinuxuser and selinuxuser)
> 
> I think that is where it conflicts. basically i suspect that it hasnt
> dealt with generating the seusers file yet. and so it looks there and
> sees a range in a non mcs policy.
> 
> So i suspect that this is an issue, its just not a noticable with
> refpolicy becuase refpolicy copies its own seusers file
> 

I think the CIL people might be able to shed some light on this so CCing
jwcart2

In particular how "selinuxuser and defaultselinuxuser" could affect or
be affected by this patch

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[James Carter]

On 10/14/2016 03:26 PM, Dominick Grift wrote:
> On 10/14/2016 09:17 PM, Dominick Grift wrote:
>> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>>> context_from_record() in sepol would report an error because an
>>>>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>>> temporary working policy, not the active policy.
>>>>>>>
>>>>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>>>>> Stephen Smalley <sds@tycho.nsa.gov> ---
>>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>>> insertions(+), 1 deletion(-)
>>>>>>>
>>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>>> fail; }
>>>>>>>
>>>>>>> -		if (sepol_context_set_user(sepolh, context, user->sename) <
>>>>>>> 0 || +		if (sepol_context_set_user(sepolh, context,
>>>>>>> user->sename) < 0) { +			goto fail; +		} + +		if
>>>>>>> (sepol_policydb_mls_enabled(s->policydb) &&
>>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>>> fail; }
>>>>>>>
>>>>>>
>>>>>> I could not get this to work:
>>>>>>
>>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>>> over records (No such file or directory) semodule: failed!
>>>>>>
>>>>>
>>>>> for reference:
>>>>>
>>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>>
>>>> Not sure about that, but with this patch, I could successfully do the
>>>> following:
>>>> $ cd refpolicy
>>>> $ make conf
>>>> $ make
>>>> $ sudo make install
>>>> $ sudo make load
>>>>
>>>> And genhomedircon ran without complaint, and I have the expected
>>>> entries in file_contexts.homedirs.
>>>> That's with the standard policy.
>>>>
>>>
>>> Ok thats good enough for me. I admit i just upgraded my systems, and
>>> made major changes to my policy so it may just be me.
>>>
>>>
>>
>> I might just be wrong though but i think it has to do with how cil
>> allows you deal with seusers in policy (defaultselinuxuser and selinuxuser)
>>
>> I think that is where it conflicts. basically i suspect that it hasnt
>> dealt with generating the seusers file yet. and so it looks there and
>> sees a range in a non mcs policy.
>>
>> So i suspect that this is an issue, its just not a noticable with
>> refpolicy becuase refpolicy copies its own seusers file
>>
>
> I think the CIL people might be able to shed some light on this so CCing
> jwcart2
>
> In particular how "selinuxuser and defaultselinuxuser" could affect or
> be affected by this patch
>

They won't be effected. cil_selinuxusers_to_string() will only print the mls 
parts if a MLS policy is specified.

Jim

>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 4838 bytes --]

On 10/14/2016 09:54 PM, James Carter wrote:
> On 10/14/2016 03:26 PM, Dominick Grift wrote:
>> On 10/14/2016 09:17 PM, Dominick Grift wrote:
>>> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>>>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>>>> context_from_record() in sepol would report an error because an
>>>>>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>>>> temporary working policy, not the active policy.
>>>>>>>>
>>>>>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>>>>>> Stephen Smalley <sds@tycho.nsa.gov> ---
>>>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>>>> insertions(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>> -        if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) <
>>>>>>>> 0 || +        if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) < 0) { +            goto fail; +        } +
>>>>>>>> +        if
>>>>>>>> (sepol_policydb_mls_enabled(s->policydb) &&
>>>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>
>>>>>>> I could not get this to work:
>>>>>>>
>>>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>>>> over records (No such file or directory) semodule: failed!
>>>>>>>
>>>>>>
>>>>>> for reference:
>>>>>>
>>>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>>>
>>>>> Not sure about that, but with this patch, I could successfully do the
>>>>> following:
>>>>> $ cd refpolicy
>>>>> $ make conf
>>>>> $ make
>>>>> $ sudo make install
>>>>> $ sudo make load
>>>>>
>>>>> And genhomedircon ran without complaint, and I have the expected
>>>>> entries in file_contexts.homedirs.
>>>>> That's with the standard policy.
>>>>>
>>>>
>>>> Ok thats good enough for me. I admit i just upgraded my systems, and
>>>> made major changes to my policy so it may just be me.
>>>>
>>>>
>>>
>>> I might just be wrong though but i think it has to do with how cil
>>> allows you deal with seusers in policy (defaultselinuxuser and
>>> selinuxuser)
>>>
>>> I think that is where it conflicts. basically i suspect that it hasnt
>>> dealt with generating the seusers file yet. and so it looks there and
>>> sees a range in a non mcs policy.
>>>
>>> So i suspect that this is an issue, its just not a noticable with
>>> refpolicy becuase refpolicy copies its own seusers file
>>>
>>
>> I think the CIL people might be able to shed some light on this so CCing
>> jwcart2
>>
>> In particular how "selinuxuser and defaultselinuxuser" could affect or
>> be affected by this patch
>>
> 
> They won't be effected. cil_selinuxusers_to_string() will only print the
> mls parts if a MLS policy is specified.

And the other way around? Could the patch above cause things to break
because the seusers arent updated yet?

e.g. switching on the fly from an mls policy to a standard policy.

the seusers need to be processed. could it be that this patch makes it
fail because the seusers havent been processed yet

as you can see here:


 libsemanage.validate_handler: seuser mapping [kcinimod ->
(wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
 directory). libsemanage.dbase_llist_iterate: could not iterate
 over records (No such file or directory) semodule: failed!

it is refereing to my seuser mapping. That mapping is from the initial
mls policy. So it hasnt been processed yet, because if it was then it
would not have mentioned the s0-s0:c0.c1023


> Jim
> 
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH] libsemanage: genhomedircon: only set MLS level if MLS is enabled

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 4763 bytes --]

On 10/14/2016 09:54 PM, James Carter wrote:
> On 10/14/2016 03:26 PM, Dominick Grift wrote:
>> On 10/14/2016 09:17 PM, Dominick Grift wrote:
>>> On 10/14/2016 09:09 PM, Dominick Grift wrote:
>>>> On 10/14/2016 09:08 PM, Stephen Smalley wrote:
>>>>> On 10/14/2016 02:58 PM, Dominick Grift wrote:
>>>>>> On 10/14/2016 08:52 PM, Dominick Grift wrote:
>>>>>>> On 10/14/2016 07:40 PM, Stephen Smalley wrote:
>>>>>>>> When a non-MLS policy was used with genhomedircon
>>>>>>>> context_from_record() in sepol would report an error because an
>>>>>>>> MLS level was present when MLS is disabled.  Based on a patch
>>>>>>>> by Gary Tierney, amended to use sepol_policydb_mls_enabled
>>>>>>>> rather than semanage_mls_enabled because we are testing the
>>>>>>>> temporary working policy, not the active policy.
>>>>>>>>
>>>>>>>> Reported-by: Jason Zaman <jason@perfinion.com> Signed-off-by:
>>>>>>>> Stephen Smalley <sds@tycho.nsa.gov> ---
>>>>>>>> libsemanage/src/genhomedircon.c | 6 +++++- 1 file changed, 5
>>>>>>>> insertions(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/libsemanage/src/genhomedircon.c
>>>>>>>> b/libsemanage/src/genhomedircon.c index 6991fff..5e9d722
>>>>>>>> 100644 --- a/libsemanage/src/genhomedircon.c +++
>>>>>>>> b/libsemanage/src/genhomedircon.c @@ -638,7 +638,11 @@ static
>>>>>>>> int write_contexts(genhomedircon_settings_t *s, FILE *out, goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>> -        if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) <
>>>>>>>> 0 || +        if (sepol_context_set_user(sepolh, context,
>>>>>>>> user->sename) < 0) { +            goto fail; +        } +
>>>>>>>> +        if
>>>>>>>> (sepol_policydb_mls_enabled(s->policydb) &&
>>>>>>>> sepol_context_set_mls(sepolh, context, user->level) < 0) { goto
>>>>>>>> fail; }
>>>>>>>>
>>>>>>>
>>>>>>> I could not get this to work:
>>>>>>>
>>>>>>> libsemanage.validate_handler: seuser mapping [kcinimod ->
>>>>>>> (wheel.id, s0-s0:c0.c1023)] is invalid (No such file or
>>>>>>> directory). libsemanage.dbase_llist_iterate: could not iterate
>>>>>>> over records (No such file or directory) semodule: failed!
>>>>>>>
>>>>>>
>>>>>> for reference:
>>>>>>
>>>>>> https://www.youtube.com/watch?v=yUAikbw5BSQ
>>>>>
>>>>> Not sure about that, but with this patch, I could successfully do the
>>>>> following:
>>>>> $ cd refpolicy
>>>>> $ make conf
>>>>> $ make
>>>>> $ sudo make install
>>>>> $ sudo make load
>>>>>
>>>>> And genhomedircon ran without complaint, and I have the expected
>>>>> entries in file_contexts.homedirs.
>>>>> That's with the standard policy.
>>>>>
>>>>
>>>> Ok thats good enough for me. I admit i just upgraded my systems, and
>>>> made major changes to my policy so it may just be me.
>>>>
>>>>
>>>
>>> I might just be wrong though but i think it has to do with how cil
>>> allows you deal with seusers in policy (defaultselinuxuser and
>>> selinuxuser)
>>>
>>> I think that is where it conflicts. basically i suspect that it hasnt
>>> dealt with generating the seusers file yet. and so it looks there and
>>> sees a range in a non mcs policy.
>>>
>>> So i suspect that this is an issue, its just not a noticable with
>>> refpolicy becuase refpolicy copies its own seusers file
>>>
>>
>> I think the CIL people might be able to shed some light on this so CCing
>> jwcart2
>>
>> In particular how "selinuxuser and defaultselinuxuser" could affect or
>> be affected by this patch
>>
> 
> They won't be effected. cil_selinuxusers_to_string() will only print the
> mls parts if a MLS policy is specified.
> 
> Jim
>

Thanks. I thought about this and I think i see now what the issue is.
and i suppose i can live with this "limitation"

It is indeed choking on seusers{.local}

if i manually remove /etc/selinux/SELINUXTYPE/seusers and
/var/lib/selinux/SELINUXTYPE/seusers{.local} then it works


The problem is that i am switching model without switching SELINUXTYPE.
libsemanage can't deal with that and I suppose there never was a need
for this because It never was possible to switch models with semodule alone

So on the one hand the patch above works, but on the other hand it
raises the question about whether libsemanage should support switching
modules without switcing SELINUXTYPE.


>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]