MLS is disabled, but MLS context "s0" found

MLS is disabled, but MLS context "s0" found

[Nicolas Iooss]

Hello,

When using semanage from policycoreutils 2.6 I get the following error
every time I update something (modifying a boolean, adding a user login...):

  # semanage boolean --modify --on global_ssp
  libsepol.context_from_record: MLS is disabled, but MLS context "s0"
  found
  libsepol.context_from_record: could not create context structure
  (Invalid argument).

In the code is quite clear on the reason of this warning [1]: I have
some policy files which define file contexts with MLS context s0 even
though I am using a non-MLS policy.

At first I thought it was an issue in the way refpolicy is being build
(the policy I am using comes from refpolicy), but the hll files in
/var/lib/selinux do not define s0 in the file contexts (I verified this
using "bzcat < hll |cat -v", which showed the fc definitions).

Then I ran the hll/pp program on hll and saw that the CIL filecon
statements use "(systemlow systemlow)", and that the base module contains:

  (sensitivity s0)
  (sensitivityorder (s0))
  (level systemlow (s0))
  (mls false)

I also found a comment in module_to_cil.c describing why this is
necessary: "CIL requires that all contexts have a range" [2].

In short, context_from_record() does not like when a file context
defines a sensitivity level in a non-MLS policy and the current
pp-to-cil compiler generates file contexts with sensitivity levels, in a
non-MLS policy. Is this a bug in libsepol or something I misconfigured
on my system?

Thanks,
Nicolas

[1]
https://github.com/SELinuxProject/selinux/blob/libsepol-2.6/libsepol/src/context.c#L196
[2]
https://github.com/SELinuxProject/selinux/blob/libsepol-2.6/libsepol/src/module_to_cil.c#L3969

Re: MLS is disabled, but MLS context "s0" found

[Nicolas Iooss]

On 12/11/16 11:41, Nicolas Iooss wrote:
> Hello,
> 
> When using semanage from policycoreutils 2.6 I get the following error
> every time I update something (modifying a boolean, adding a user login...):
> 
>   # semanage boolean --modify --on global_ssp
>   libsepol.context_from_record: MLS is disabled, but MLS context "s0"
>   found
>   libsepol.context_from_record: could not create context structure
>   (Invalid argument).
> 
> In the code is quite clear on the reason of this warning [1]: I have
> some policy files which define file contexts with MLS context s0 even
> though I am using a non-MLS policy.
> 
> At first I thought it was an issue in the way refpolicy is being build
> (the policy I am using comes from refpolicy), but the hll files in
> /var/lib/selinux do not define s0 in the file contexts (I verified this
> using "bzcat < hll |cat -v", which showed the fc definitions).
> 
> Then I ran the hll/pp program on hll and saw that the CIL filecon
> statements use "(systemlow systemlow)", and that the base module contains:
> 
>   (sensitivity s0)
>   (sensitivityorder (s0))
>   (level systemlow (s0))
>   (mls false)
> 
> I also found a comment in module_to_cil.c describing why this is
> necessary: "CIL requires that all contexts have a range" [2].
> 
> In short, context_from_record() does not like when a file context
> defines a sensitivity level in a non-MLS policy and the current
> pp-to-cil compiler generates file contexts with sensitivity levels, in a
> non-MLS policy. Is this a bug in libsepol or something I misconfigured
> on my system?

After sending this email I found commit 4cf9b9ce2df0 ("libsemanage:
genhomedircon: only set MLS level if MLS is enabled") and I took it in
the libsemanage package I use on my system. This fixed the issue I had,
and in fact I missed the genhomedircon step in my analysis.

Problem solved. Sorry for the noise!

Nicolas