Hi,
I am currently trying teach myself SELinux on a Fedora FC6 box (VMware), configured with the strict policy running in permissive mode.
I followed the instructions provided on http://james-morris.livejournal.com/8228.html to play with MCS functions, but I get an error when I try to assign a category "Public" to an unprivileged user "foo" with the chcat command (as root, with sysadm role)
----------------------------------------------- # chcat -l -- +Public foo
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow ed range s0 for SELinux user user_u libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva lid libsemanage.dbase_llist_iterate: could not iterate over records -----------------------------------------------
Other techniques to achieve the same result (e.g. trying to assign this category with semanage) leads the same error.
----------------------------------------------- # semanage login -l __default__ user_u s0 foo user_u s0 root root SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh
# semanage user -l root sysadm s0 SystemLow-SystemHigh system_r sy sadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r st aff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 s0 user_r -----------------------------------------------
My setrans.conf file contains :
s0:c0=Public s0:c1=Confidential s0:c2=Secret s0:c3=TopSecret
Any idea?
Apart from that, setting a category on a non-existing file leads to a segmentation fault : # chcat -- +Public doesnotexist.txt Segmentation fault
Thanks for your help,
Ben
pandalists@free.fr wrote:
Hi,
I am currently trying teach myself SELinux on a Fedora FC6 box (VMware), configured with the strict policy running in permissive mode.
I followed the instructions provided on http://james-morris.livejournal.com/8228.html to play with MCS functions, but I get an error when I try to assign a category "Public" to an unprivileged user "foo" with the chcat command (as root, with sysadm role)
# chcat -l -- +Public foo
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow ed range s0 for SELinux user user_u libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva lid libsemanage.dbase_llist_iterate: could not iterate over records
Looks like a bug. Does
chcon -l -- +s0:c0 foo work?
Other techniques to achieve the same result (e.g. trying to assign this category with semanage) leads the same error.
# semanage login -l __default__ user_u s0 foo user_u s0 root root SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh
# semanage user -l root sysadm s0 SystemLow-SystemHigh system_r sy sadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r st aff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 s0 user_r
My setrans.conf file contains :
s0:c0=Public s0:c1=Confidential s0:c2=Secret s0:c3=TopSecret
Any idea?
Apart from that, setting a category on a non-existing file leads to a segmentation fault : # chcat -- +Public doesnotexist.txt Segmentation fault
libselinux python binding has a bug. Fixed in libselinux-1.33.4-3.el5, libselinux-1.34.0-3.fc7
Thanks for your help,
Ben
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# chcat -l -- +Public foo
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds
allow
ed range s0 for SELinux user user_u libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is
inva
lid libsemanage.dbase_llist_iterate: could not iterate over records
Looks like a bug. Does
chcon -l -- +s0:c0 foo work?
Not either.
However, I have applied the patch you sent on the list (policycoreutils-chcat.patch). I do not have the error anymore, but it _seems_ that categories are not assigned to the users :
# chcat -l +Public foo # chcat -L -l foo foo: s0
Ben
selinux@lists.fedoraproject.org