[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: chcat problem



pandalists free fr wrote:
Hi,

I am currently trying teach myself SELinux on a Fedora FC6 box (VMware),
configured with the strict policy running in permissive mode.

I followed the instructions provided on
http://james-morris.livejournal.com/8228.html to play with MCS functions, but I
get an error when I try to assign a category "Public" to an unprivileged user
"foo" with the chcat command (as root, with sysadm role)

-----------------------------------------------
# chcat -l -- +Public foo

libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow
ed range s0 for SELinux user user_u
libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva
lid
libsemanage.dbase_llist_iterate: could not iterate over records
-----------------------------------------------

Looks like a bug.   Does

chcon -l -- +s0:c0 foo
work?
Other techniques to achieve the same result (e.g. trying to assign this category
with semanage) leads the same error.

-----------------------------------------------
# semanage login -l
__default__               user_u                    s0
foo                       user_u                    s0
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh

# semanage user -l
root            sysadm     s0         SystemLow-SystemHigh           system_r sy
sadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r st
aff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         s0                             user_r
-----------------------------------------------

My setrans.conf file contains :

s0:c0=Public
s0:c1=Confidential
s0:c2=Secret
s0:c3=TopSecret

Any idea?

Apart from that, setting a category on a non-existing file leads to a
segmentation fault :
# chcat -- +Public doesnotexist.txt
Segmentation fault

libselinux python binding has a bug. Fixed in libselinux-1.33.4-3.el5, libselinux-1.34.0-3.fc7
Thanks for your help,

Ben

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]