From: Tracy Reed <treed@ultraviolet.org>
To: Tracy Reed <treed@ultraviolet.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: MCS error
Date: Thu, 19 Feb 2015 18:02:13 -0800 [thread overview]
Message-ID: <20150220020213.GG12937@tracyreed.org> (raw)
In-Reply-To: <20150220003425.GF12937@tracyreed.org>
[-- Attachment #1: Type: text/plain, Size: 4001 bytes --]
On Thu, Feb 19, 2015 at 04:34:25PM PST, Tracy Reed spake thusly:
> # semanage login -l
Ok, part of my confusion here is that I've been confusing semanage login with
semanage user. It's been a while since I've dealt with SELinux. I understand
that semanage login -l shows what Linux users map to what selinux users:
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u SystemLow-SystemHigh
> p16001 p16001_u p16001
> p16002 appuser_u s0:c1.c499-s0:c2
> p16003 appuser_u s0:c1.c499-s0:c3
> p16004 unconfined_u s0-s0:c0.c1023,c4
> p16005 unconfined_u s0-s0:c0.c1023,c4,c5
> p16006 unconfined_u s0-s0:c0.c1023,c6
> p16007 unconfined_u s0-s0:c0.c1023,c7
> p16008 unconfined_u s0-s0:c0.c1023,c8
> p16009 unconfined_u s0-s0:c0.c1023,c9
> root unconfined_u SystemLow-SystemHigh
> system_u system_u SystemLow-SystemHigh
So we are mapping p16002 to appuser_u but appuser_u doesn't exist at the
moment. But what's with the MLS/MCS range column? Is this saying p16002 has
categories s0:c1.c499-s0:c2 is it saying appuser_u (selinux user) has
categories s0:c1.c499-s0:c2? Given that the selinux user is the same but the
categories listed are different for Linux login users p16002 and p16003 I would
think it is saying those categories go with those Linux login users.
How/why is it different from the output of semange user -l ?
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
git_shell_u user SystemLow SystemLow git_shell_r
guest_u user SystemLow SystemLow guest_r
p16001_u user SystemLow p16001 user_r
p16002_u user SystemLow p16002 user_r
root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r
sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow SystemLow-SystemHigh user_r
xguest_u user SystemLow SystemLow xguest_r
Here there are no Linux users involved, only selinux users it seems, which is
fine. But it shows p16001_u with range p16001 and p16002_u with p16002.
And that is different yet with respect to the output of the chcat command:
# chcat -L -l p16001 p16002
p16001: s0:c0.c1023
p16002: s0:c0.c1023
This says p16001 and p16002 have access to all categories.
So...who is right?
Also, I'm still trying to figure out how to dig myself out of this hole:
# semanage user -a -R user_r appuser_u
libsemanage.validate_handler: selinux user appuser_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [p16002 -> (appuser_u, s0:c1.c499-s0:c2)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
This would seem to be a paradox or chicken and egg problem.
Ideas? Thanks! :)
--
Tracy Reed
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2015-02-20 2:02 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-19 1:48 MCS error Tracy Reed
2015-02-19 13:23 ` Stephen Smalley
2015-02-19 15:40 ` Dominick Grift
2015-02-19 19:33 ` Tracy Reed
2015-02-19 19:46 ` Stephen Smalley
2015-02-19 20:17 ` Tracy Reed
2015-02-19 20:27 ` Stephen Smalley
2015-02-19 21:14 ` Dominick Grift
2015-02-19 20:48 ` Dominick Grift
2015-02-19 21:26 ` Thomas Hurd
2015-02-20 0:34 ` Tracy Reed
2015-02-20 2:02 ` Tracy Reed [this message]
2015-02-20 7:33 ` Dominick Grift
2015-02-20 23:27 ` Tracy Reed
2015-02-20 23:38 ` Joshua Brindle
2015-02-21 13:07 ` Dominick Grift
2015-02-20 17:44 ` Stephen Smalley
2015-02-20 13:38 ` Stephen Smalley
2015-02-20 16:56 ` Tracy Reed
2015-02-20 17:08 ` Stephen Smalley
2015-02-20 17:33 ` Stephen Smalley
2015-02-20 22:10 ` Tracy Reed
2015-02-23 14:43 ` Stephen Smalley
2015-02-20 22:07 ` Tracy Reed
2015-02-19 16:19 ` Stephen Smalley
2015-02-19 19:58 ` Tracy Reed
2015-02-19 20:24 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150220020213.GG12937@tracyreed.org \
--to=treed@ultraviolet.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.