[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Fedora buildsys and SELinux

From: Stephen Smalley <sds tycho nsa gov>
To: Eric Paris <eparis redhat com>
Cc: Bill Nottingham <notting redhat com>, fedora-selinux-list <fedora-selinux-list redhat com>, Eric Paris <eparis parisplace org>
Subject: Re: Fedora buildsys and SELinux
Date: Thu, 15 May 2008 14:36:16 -0400

On Wed, 2008-05-14 at 16:38 -0400, Eric Paris wrote:
> > > ^M  Installing: kbd                          ##################### [126/129]
> > > ^M  Installing: kernel                       ##################### [127/129]
> > > ^M  Installing: selinux-policy               ##################### [128/129]
> > > ^M  Installing: selinux-policy-targeted      ##################### [129/129]
> > > 
> > > All of this still went smoothly...
> > > 
> > > libsemanage.dbase_llist_query: could not query record value
> > >
> > > No idea where this is coming from
> > 
> > Maybe a table was empty.  Might want to look under etc/selinux/targeted
> > within the chroot.
> 
> Without any helpful input I've still been banging my head against this
> wall, cleaned up a bunch of stuff in how the livecd-tools make images,
> wrote some policy (going to need to redo it) and it seems like I'm
> building images at least now.  Remember all of this is building F10
> images on F10, I'm not trying to handle the 'illegal' context stuff at
> all, let just make that clear.
> 
> Anyway, I'm still getting a couple of ?error? messages
> 
>   Installing: kbd                          ##################### [126/129] 
>   Installing: selinux-policy               ##################### [127/129] 
>   Installing: selinux-policy-targeted      ##################### [128/129]
> libsemanage.dbase_llist_query: could not query record value
> /usr/sbin/semanage: Invalid prefix user
> /usr/sbin/semanage: Invalid prefix user
>  
>   Installing: kernel                       ##################### [129/129]
> Only root can do that.
> e2fsck 1.40.9 (27-Apr-2008)
> Pass 1: Checking inodes, blocks, and sizes
> 
> but I'm about to try to boot one of these things and see what happens.
> Anyone have hints on what to look for with the above error messages?  As
> usual I don't know what a 'table' is in this context   :)

The invalid prefix user is another artifact of semanage/seobject.py
trying to check something against the host's policy rather than checking
against the target policy just due to lack of adequate libsemanage
interfaces.  Calls to is_selinux_mls_enabled() and
security_check_context() need to be turned into libsemanage calls.

The could not query record value one is too generic.  Might help to get
a snapshot of the /etc/selinux/targeted tree that it built and see
what's there.  Or possibly patching libsemanage to give more useful
output, but it's a bit hard due to abstraction layers there.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley

References:
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Eric Paris
- Re: Fedora buildsys and SELinux
  - From: Eric Paris
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Jeremy Katz
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Eric Paris
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Eric Paris
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Eric Paris
- Re: Fedora buildsys and SELinux
  - From: Stephen Smalley
- Re: Fedora buildsys and SELinux
  - From: Eric Paris

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]