Difficulty compiling setools-1.3-2

Karl MacMillan kmacmillan at tresys.com
Thu May 27 13:55:34 UTC 2004 

> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-
> bounces at redhat.com] On Behalf Of Bob Gustafson
> Sent: Wednesday, May 26, 2004 8:34 PM
> To: Fedora SELinux support list for users & developers.
> Subject: Re: Difficulty compiling setools-1.3-2
> 
> I did a little more testing
> 
> [user1 at hoho2 user1]$ seuser show users
> Could not access policy.conf file. Verify the location is valid in the
> seuser.co
> nf file.
> [user1 at hoho2 user1]$
> 
> At this point, I said 'whoops, remake of setools has same problem as
> before'
> 
> But then a minute later, when I was logged in as root, I did it again with
> good results - no code change.
> 
> [root at hoho2 user1]#
> [root at hoho2 user1]# seuser show users
> 
> system_u: system_r
> user_u: user_r sysadm_r system_r
> root: staff_r sysadm_r system_r
> cyrus: cyrus_r
> mailman: mailman_r
> 
> 
> [root at hoho2 user1]#
> 
> I don't know what the desired error message is for an ordinary user?

I'm not certain either, but the error message that was returned was clearly
no the right one. We'll work on some better error messages for a future
release.

> Are
> mortal users discouraged from running seuser? If so, perhaps the policy
> should just make it not executable for mortal users.
> 
> If mortal users can run 'seuser', then perhaps the seuser.conf file has to
> be accessible to the seuser program when being run by a mortal user. That
> is my guess at why the error message comes up.
> 

That is correct. Seuser is designed to only be run by sysadm_r - it is a
trusted program with wide ranging access to the policy, so it is probably
not appropriate for a normal user to run (this is all in the context of the
strict policy - things are different under the targeted policy). If you
simply what to see the users in the system, the better program to use is
seinfo:


[kmacmillan at pham setools-1.4]$ seinfo -u -x

Users: 5
   system_u
      system_r
   root
      system_r
      sysadm_r
      staff_r
   user_u
      system_r
      sysadm_r
      user_r
   cyrus
      cyrus_r
   mailman
      mailman_r

Karl

> 
> BobG
> 
> 
> 
> On Wed, 26 May 2004 14:07:30 -0400, Stephen Smalley wrote:
> >On Wed, 2004-05-26 at 14:01, Bob Gustafson wrote:
> >> Thanks much, seems to work (I have a blank apol window popped up on my
> >>screen)
> >>
> >> The Tresys version of setools-1.3.1.tgz is bigger and newer than the
> one on
> >> the NSA site.
> >
> >diff -ru on the expanded directories shows that the only difference is
> >that the Tresys tarball has a spurious Attic directory under seuser.
> >The tarball on the NSA site is built from our internal CVS tree, and we
> >import new versions from Tresys as appropriate (but naturally don't
> >import CVS internal files like the Attic directory).
> >
> >--
> >Stephen Smalley <sds at epoch.ncsc.mil>
> >National Security Agency
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list at redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list