On Tue, 2008-05-13 at 09:03 -0400, Eric Paris wrote:
On Tue, 2008-05-13 at 08:44 -0400, Stephen Smalley wrote:
On Mon, May 12, 2008 at 5:26 PM, Eric Paris eparis@redhat.com wrote:
Installing: selinux-policy ##################### [128/129] Installing: selinux-policy-targeted ##################### [129/129] libsemanage.dbase_llist_query: could not query record value libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u
Hmm...so you are installing a policy with MLS enabled, but tried to add a user without a MLS level. I think this is likely a bug/limitation of semanage, where it tries to deduce whether or not to include the MLS field based on whether the host has MLS enabled. This has come up before on selinux list; we need a libsemanage interface for querying whether MLS is enabled in the policy store vs. on the host. Or you could fake a /selinux/mls node that contains "1".
I have one that has a 1\n inside the chroot, but I guess that wasn't enough? Yes, I think its a fine idea to create such a store vs. host check, but in either case they both 'should' have returned MLS=on....
The newline is the problem for you; libselinux is_selinux_mls_enabled() looks for an exact match against "1" since that is what the kernel has always returned.