> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh(a)redhat.com>
wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>
>>
>>
>>
>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>> <dwalsh(a)redhat.com> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>
>>>>
>>>>
>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>> <dwalsh(a)redhat.com>
>>>> wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>>
>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have a policy that was originally written for RHEL 6.2.
> I’m now
>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with
>>> semanage. I
>>>>>> can install a fresh RHEL 6.5 system with the targeted
> policy and
>>>>>> everything works fine. I then uninstall the targeted policy
> and
>>> install
>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>>
>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r
> s0-s0:c0.c1023
>>>>>>>> testuser_u useradd -G wheel testuser semanage login
> -a -r
>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>> libsemanage.dbase_llist_query: could not query record value
>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>>
>>>>>>
>>>>>> I have the RHEL 6.5 source code for libsemanage and the
> targeted
>>> policy
>>>>>> but so far I haven't been able to find differences that
> would
>>> affect
>>>>>> this problem. Could someone please point me in the right
> direction
>>> as
>>>>>> far as what semanage is expecting? What would prevent
> libsemanage
>>> from
>>>>>> querying for the user?
>>>>>>
>>>>>> Thanks, Andy
>>>>>>
>>>>>>
>>>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>> What does semanage login -l and semanage user -l show?
> -----BEGIN
>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>> Thunderbird
>>> -
>>>>>
http://www.enigmail.net/
>>>>>
>>>>>
> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
> SIGNATURE-----
>>>> semanage user -l shows:
>>>>
>>>>
>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level
> MCS
>>>> Range SELinux Roles
>>>>
>>>> root user s0 s0-s0:c0.c1023 system_r
> system_u
>>>> user s0 s0-s0:c0.c1023 system_r testuser_u user
>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u user
>>>> s0 s0 user_r
>>>>
>>>>
>>>>
>>>> semanage login -l shows:
>>>>
>>>>
>>>> Login Name SELinux User MLS/MCS Range
>>>>
>>>>
>>>> root root s0-s0:c0.c1023
>>>> system_u system_u s0-s0:c0.c1023
> --
>>>> selinux mailing list selinux(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> And the testuser exists in /etc/passwd? -----BEGIN PGP
SIGNATURE-----
>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>
http://www.enigmail.net/
>>>
>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>
>>> -----END PGP SIGNATURE-----
>>>
>>
>> Yes. The commands "semanage user -a" and "useradd"
> appear to work fine.
>> It's the "semanage login -a" that has trouble.
>>
> And this is with the stock policycoreutils or a rebuilt one?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>
> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
> =gXXZ
>
> -----END PGP SIGNATURE-----
>
Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and
selinux-policy-targeted RPMs and add my policy RPMs.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux Probably not related but
could you test it in permissive?
Also any chance to strace it and send us your output?
Regards,
Miroslav