[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: chcat problem

From: Daniel J Walsh <dwalsh redhat com>
To: pandalists free fr
Cc: fedora-selinux-list redhat com
Subject: Re: chcat problem
Date: Wed, 24 Jan 2007 12:23:32 -0500

pandalists free fr wrote:

Hi,

I am currently trying teach myself SELinux on a Fedora FC6 box (VMware),
configured with the strict policy running in permissive mode.

I followed the instructions provided on
http://james-morris.livejournal.com/8228.html to play with MCS functions, but I
get an error when I try to assign a category "Public" to an unprivileged user
"foo" with the chcat command (as root, with sysadm role)

-----------------------------------------------
# chcat -l -- +Public foo

libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow
ed range s0 for SELinux user user_u
libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva
lid
libsemanage.dbase_llist_iterate: could not iterate over records
-----------------------------------------------

Looks like a bug.   Does

chcon -l -- +s0:c0 foo
work?

Other techniques to achieve the same result (e.g. trying to assign this category
with semanage) leads the same error.

-----------------------------------------------
# semanage login -l
__default__               user_u                    s0
foo                       user_u                    s0
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh

# semanage user -l
root            sysadm     s0         SystemLow-SystemHigh           system_r sy
sadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r st
aff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         s0                             user_r
-----------------------------------------------

My setrans.conf file contains :

s0:c0=Public
s0:c1=Confidential
s0:c2=Secret
s0:c3=TopSecret

Any idea?

Apart from that, setting a category on a non-existing file leads to a

segmentation fault :
# chcat -- +Public doesnotexist.txt
Segmentation fault

libselinux python binding has a bug. Fixed in libselinux-1.33.4-3.el5,libselinux-1.34.0-3.fc7

Thanks for your help,

Ben

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: chcat problem
  - From: pandalists

References:
- chcat problem
  - From: pandalists

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]