[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Fedora buildsys and SELinux
- From: Stephen Smalley <sds tycho nsa gov>
- To: Eric Paris <eparis redhat com>
- Cc: Bill Nottingham <notting redhat com>, fedora-selinux-list <fedora-selinux-list redhat com>, Eric Paris <eparis parisplace org>
- Subject: Re: Fedora buildsys and SELinux
- Date: Tue, 13 May 2008 09:15:25 -0400
On Tue, 2008-05-13 at 09:03 -0400, Eric Paris wrote:
> On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote:
> > On Mon, May 12, 2008 at 5:26 PM, Eric Paris <eparis redhat com> wrote:
>
> >
> > >
> > > Installing: selinux-policy ##################### [128/129]
> > > Installing: selinux-policy-targeted ##################### [129/129]
> > > libsemanage.dbase_llist_query: could not query record value
> > > libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u
> >
> > Hmm...so you are installing a policy with MLS enabled, but tried to
> > add a user without a MLS level. I think this is likely a
> > bug/limitation of semanage, where it tries to deduce whether or not to
> > include the MLS field based on whether the host has MLS enabled.
> > This has come up before on selinux list; we need a libsemanage
> > interface for querying whether MLS is enabled in the policy store vs.
> > on the host. Or you could fake a /selinux/mls node that contains "1".
>
> I have one that has a 1\n inside the chroot, but I guess that wasn't
> enough? Yes, I think its a fine idea to create such a store vs. host
> check, but in either case they both 'should' have returned MLS=on....
The newline is the problem for you; libselinux is_selinux_mls_enabled()
looks for an exact match against "1" since that is what the kernel has
always returned.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]