redefining the numer of sensitivities and reconfiguring users and login

Clarkson, Mike R (US SSA) mike.clarkson at baesystems.com
Thu May 24 00:29:38 UTC 2007 

I'm trying to reduce the number of sensitivities from 16 to 5 (s0 - s4)

Looks like I can redefine the number of sensitivities in the build.conf
file and Makefile file and then use "make load" to make the change take
effect. Is that correct?

I assume that I'll need to use fixfiles to relabel any files that have
contexts with sensitivity levels greater than s4. Is that correct?

Before reducing the number of sensitivities, I wanted to reconfigure the
users and login using semanage. I've defined SystemHigh to be s4:c0.c255
in the setrans.conf file. This is what "semanage user -l" returns:

# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range
SELinux Roles

m2_u            user       SystemLow  SystemLow-s15:c0.c255
system_r user_r
root            user       SystemLow  SystemLow-s15:c0.c255
system_r sysadm_r user_r
system_u        user       SystemLow  SystemLow-s15:c0.c255
system_r
user_u          user       SystemLow  SystemLow-s15:c0.c255
system_r user_r

I can change both the m2_u and user_u users to have a range of
SystemLow-SystemHigh, but only in permissive mode. If in enforcing mode,
I get the following error:

# semanage user -m -r SystemLow-SystemHigh user_u
libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not modify SELinux user user_u

Even in permissive mode I can not change the root or system_u users. In
permissive mode I get the following error message:

# semanage user -m -r SystemLow-SystemHigh system_u
libsepol.context_read_and_validate: invalid security context
libsepol.policydb_from_image: policy image is invalid
/usr/sbin/load_policy:  Can't load policy:  Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not modify SELinux user system_u

"policy image is invalid" sounds particularly bad

I'm running as Linux user root and SELinux user root. Here is an output
of id:

uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),101(pkcs
11) context=root:system_r:unconfined_t:SystemLow-s15:c0.c255

Can anyone help with what I need to do?

Thanks

More information about the fedora-selinux-list mailing list