Am 21.02.2014 um 10:32 schrieb selinux-request(a)lists.fedoraproject.org:
> Send selinux mailing list submissions to
> selinux(a)lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> or, via email, send a message with subject or body 'help' to
> selinux-request(a)lists.fedoraproject.org
>
> You can reach the person managing the list at
> selinux-owner(a)lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of selinux digest..."
>
>
> Today's Topics:
>
> 1. Re: semanage error when upgrading to RHEL 6.5 (Andy Ruch)
> 2. RE: Correct way to use booleans (Jayson Hurst)
> 3. Re: semanage error when upgrading to RHEL 6.5 (Miroslav Grepl)
> 4. Re: Correct way to use booleans (Miroslav Grepl)
> 5. Re: how to change the context of running process (Miroslav Grepl)
> 6. Re: How to properly setup my domains security contexts in the
> domain.fc file? (Miroslav Grepl)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Feb 2014 14:30:06 -0800 (PST)
> From: Andy Ruch <adruch2002(a)yahoo.com>
> To: Daniel J Walsh <dwalsh(a)redhat.com>, Fedora SELinux
> <selinux(a)lists.fedoraproject.org>
> Subject: Re: semanage error when upgrading to RHEL 6.5
> Message-ID:
> <1392935406.63212.YahooMailNeo(a)web124903.mail.ne1.yahoo.com>
> Content-Type: text/plain; charset=utf-8
>
>
>
>
>
>
>> On Thursday, February 20, 2014 3:23 PM, Daniel J Walsh <dwalsh(a)redhat.com>
wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/20/2014 04:44 PM, Andy Ruch wrote:
>>>
>>>
>>>
>>>
>>>
>>>> On Thursday, February 20, 2014 2:36 PM, Daniel J Walsh
>>>> <dwalsh(a)redhat.com> wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 02/20/2014 03:46 PM, Andy Ruch wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thursday, February 20, 2014 1:38 PM, Daniel J Walsh
>>>> <dwalsh(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>>
>>>>>> On 02/19/2014 11:56 AM, Andy Ruch wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have a policy that was originally written for RHEL 6.2.
>> I’m now
>>>>>>> trying to upgrade to RHEL 6.5 and I’m having problems with
>>>> semanage. I
>>>>>>> can install a fresh RHEL 6.5 system with the targeted
>> policy and
>>>>>>> everything works fine. I then uninstall the targeted policy
>> and
>>>> install
>>>>>>> my policy and I can’t link the linux user and selinux user.
>>>>>>>
>>>>>>>>> semanage user –a -R sysadm_r -R staff_r -r
>> s0-s0:c0.c1023
>>>>>>>>> testuser_u useradd -G wheel testuser semanage login
>> -a -r
>>>>>>>>> s0-s0:c0.c1023 -s testuser_u testuser
>>>>>>> libsemanage.dbase_llist_query: could not query record value
>>
>>>>>>> /usr/sbin/semanage: Could not query user for testuser
>>>>>>>
>>>>>>>
>>>>>>> I have the RHEL 6.5 source code for libsemanage and the
>> targeted
>>>> policy
>>>>>>> but so far I haven't been able to find differences that
>> would
>>>> affect
>>>>>>> this problem. Could someone please point me in the right
>> direction
>>>>>>>
>>>> as
>>>>>>> far as what semanage is expecting? What would prevent
>> libsemanage
>>>>>>>
>>>> from
>>>>>>> querying for the user?
>>>>>>>
>>>>>>> Thanks, Andy
>>>>>>>
>>>>>>>
>>>>>>> -- selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>> What does semanage login -l and semanage user -l show?
>> -----BEGIN
>>>>>> PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with
>>>>>> Thunderbird
>>>> -
>>>>>>
http://www.enigmail.net/
>>>>>>
>>>>>>
>> iEYEARECAAYFAlMGZ6gACgkQrlYvE4MpobPPDACfZf1lDin/LicVoZbykbsMS2rX
>>>>>> OuoAoIIa11SrGGVgJiFblx4aCFjPWF9o =iiCj -----END PGP
>> SIGNATURE-----
>>>>>>
>>>>>
>>>>> semanage user -l shows:
>>>>>
>>>>>
>>>>> Labeling MLS/ MLS/ SELinux User Prefix MCS Level
>> MCS
>>>>> Range SELinux Roles
>>>>>
>>>>> root user s0 s0-s0:c0.c1023 system_r
>> system_u
>>>>> user s0 s0-s0:c0.c1023 system_r testuser_u user
>>>>> s0 s0-s0:c0.c1023 staff_r sysadm_r user_u user
>>>>> s0 s0 user_r
>>>>>
>>>>>
>>>>>
>>>>> semanage login -l shows:
>>>>>
>>>>>
>>>>> Login Name SELinux User MLS/MCS Range
>>>>>
>>>>>
>>>>> root root s0-s0:c0.c1023
>>>>> system_u system_u s0-s0:c0.c1023
>> --
>>>>> selinux mailing list selinux(a)lists.fedoraproject.org
>>>>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
>>>>>
>>>> And the testuser exists in /etc/passwd? -----BEGIN
PGP SIGNATURE-----
>>>> Version: GnuPG v1 Comment: Using GnuPG with Thunderbird -
>>>>
http://www.enigmail.net/
>>>>
>>>> iEYEARECAAYFAlMGdVYACgkQrlYvE4MpobPSyQCgkQxSuJh2rUYvkDcNjCo2aeai
>>>> DugAniPjTv6IbODBn+ADnsIPdpf1M55a =TUJs
>>>>
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>>
>>> Yes. The commands "semanage user -a" and "useradd"
>> appear to work fine.
>>> It's the "semanage login -a" that has trouble.
>>>
>> And this is with the stock policycoreutils or a rebuilt one?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>
>> iEYEARECAAYFAlMGgHUACgkQrlYvE4MpobOltACgqKw0AFB/7VRzT08hJRTh5A2v
>> i1EAn1oG1gBOGN9R3npTRx7aMdR0fV5H
>> =gXXZ
>>
>> -----END PGP SIGNATURE-----
>>
>
> Stock. Fresh install from RHEL 6.5 image. Then I remove the selinux-policy and
selinux-policy-targeted RPMs and add my policy RPMs.
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Feb 2014 16:54:18 -0700
> From: Jayson Hurst <swazup(a)hotmail.com>
> To: Daniel J Walsh <dwalsh(a)redhat.com>,
> "selinux(a)lists.fedoraproject.org" <selinux(a)lists.fedoraproject.org>
> Subject: RE: Correct way to use booleans
> Message-ID: <BLU172-W3728825C096AEDF18A065DD59A0(a)phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I see the same thing on RHEL 6.5.
>
> So should I assume this is a bug in SElinux/OS? Even so is there a way that I can
work around it? Would there be anything wrong with transitioning files I create in tmp
from tmp_t to user_tmp_t?
>
>> Date: Thu, 20 Feb 2014 14:21:55 -0500
>> From: dwalsh(a)redhat.com
>> To: swazup(a)hotmail.com; selinux(a)lists.fedoraproject.org
>> Subject: Re: Correct way to use booleans
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/20/2014 01:41 PM, Jayson Hurst wrote:
>>> I am running in permissive mode, my module is in permissive mode.
>>>
>>> I am actually running on RHEL 6.0.
>>>
>>> So in this scenario even though my daemon is authenticating the user it is
>>> not responsible for context that the krb5cc_xxx file gets created as?
>>>
>>
>> The login daemons should be creating this file with the correct context.
>> user_tmp_t.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
>>
>> iEYEARECAAYFAlMGVdMACgkQrlYvE4MpobPm+QCfX1s69csbRU8xfg8m796N+9Si
>> cZYAmgP8bmo4vV+ug10x8tlxKSr6rTqI
>> =2zvU
>> -----END PGP SIGNATURE-----
>
>