On 09/07/2016 02:45 PM, Stephen Smalley wrote:
> On 09/07/2016 03:15 AM, Dominick Grift wrote:
>> On 09/07/2016 06:42 AM, Gary Tierney wrote:
>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t 
>>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>>> DEFAULT_LOGIN) == 0) continue;
>>>>>
>>>>> -        if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>> continue; -
>>>>
>>>> This yields a warning/error on Fedora: $ sudo semodule -B 
>>>> libsemanage.add_user: user system_u not in password file
>>>>
>>>
>>> I can re-add this conditional to prevent outputting the warning,
>>> though is there a reason for a login named "system_u" ?
>>>
>>
>> Is that warning really useful in the first place though? My
>> requirement to create a gdm selinux id also causes these messages
>> for user gdm when ever semodule -B is run on systems that do not
>> have the gdm user.
> 
> Why do you need a gdm selinux id?
> 

PAM related

Because systemd spawns a --user instance for gdm and that in turn runs a
gdm --session bus.

In order to run the gdm --session bus in gdm.subj this was needed.

Basically gdm is sort of treated as a real user in some ways. E.g. It
has a /run/user/42 and it has a systemd --user instance


>> Can we not just print that message only when semodule is run with
>> -v instead?
> 
> Presently -v only affects output from semodule itself; it isn't
> propagated to libsemanage in any way.  And libsemanage logging only
> defines three levels presently: error, warning, info.  So we don't
> presently have the support for making a libsemanage log message
> verbose-only, even if we wanted to do so.
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift