Hide Forgot
Description of problem: I'm referring to: https://bugzilla.redhat.com/show_bug.cgi?id=639900#c4 https://bugzilla.redhat.com/show_bug.cgi?id=639900#c5 https://bugzilla.redhat.com/show_bug.cgi?id=639900#c7 Version-Release number of selected component (if applicable): shadow-utils-4.1.4.2-13.el6 How reproducible: always Steps to Reproduce: # rpm -e policycoreutils-python # useradd -Z user_u userXYZ Failed to exec '/usr/sbin/semanage' useradd: warning: the user name userXYZ to user_u SELinux user mapping failed. # echo $? 14 # Actual results: * useradd executes /usr/sbin/semanage Expected results: * useradd calls the correct libsemanage functions
# rpm -q policycoreutils-python policycoreutils-python-2.0.83-19.16.el6.x86_64 # useradd -Z staff_u testuser # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 testuser staff_u s0 # rpm -e policycoreutils-python # userdel -rfZ testuser # semanage login -l -bash: /usr/sbin/semanage: No such file or directory # yum -y -q install policycoreutils-python Warning: RPMDB altered outside of yum. ** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows: selinux-policy-minimum-3.7.19-119.el6.noarch has missing requires of policycoreutils-python >= ('0', '2.0.78', '1') # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 testuser staff_u s0 # It seems that userdel needs semanage too.
# rpm -q policycoreutils-python policycoreutils-python-2.0.83-19.16.el6.x86_64 # useradd -Z staff_u testuser # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 testuser staff_u s0 # rpm -e policycoreutils-python # usermod -Z staff_u testuser Failed to exec '/usr/sbin/semanage' usermod: warning: the user name testuser to staff_u SELinux user mapping failed. # echo $? 13 # Unfortunately, usermod needs semanage too.
I'm sorry Milos but I'm not going to add policycoreutils-python to requirements. This would drag another ugly dependencies which would break minimal platform and that would cause problem with certifications and so on .... What would be the best is to replace semanage with a library call. I talk to selinux guys about this option. If it is doable, I'll be glad to fix it. :)
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
This is causing a regression in Common Criteria. With this fix the selinux user adding is not audited with ROLE_ASSIGN event. Fixing this bug would require fixing libsemanage and possibly also policycoreutils-python to use the libsemanage correctly: https://bugzilla.redhat.com/show_bug.cgi?id=952237
If this request is not backed by any customer, I would recommend to remove it from the update to get back to Common Criteria acceptable state.
Closing as WONTFIX then.