From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: selinux mls/mcs rang modify
Date: Fri, 14 Aug 2015 10:22:57 +0200 [thread overview]
Message-ID: <20150814082256.GA26540@x250> (raw)
In-Reply-To: <BLU436-SMTP8926E1E94C430CC9C28B0F9D7C0@phx.gbl>
[-- Attachment #1: Type: text/plain, Size: 2274 bytes --]
On Fri, Aug 14, 2015 at 02:45:05PM +0800, rowan wrote:
> Dear all,
>
> When do test, I use semanage change the mls/mcs range of selinux
> user 'system_u' from 's0-s0:c0.c1023' to 's0-s0:c0.c1020',cmd as bleow
>
> 'semanage user -m -r s0-s0:c0.c1020 system_u'
>
>
>
> How do I change it back?
I think I know what you are getting at here. Libsemanage does not do a good job with validation.
you could try to remove or change any login mappings of system_u that authorize use of categories that exceeds the range associated with system_u user mapping first , or change that range so that it is equal to or fall in the range of the system_u user mapping.
What, i think happened was, is that libsemanage allowed you to change the range associated with the system_u id, even though there is a login mapping in place that associates one or more linux uids with system_u and a range that exceeds the range that is associated with system_u
libsemanage shouldnt have let you done that in the first place. It should have said instead: " Hey! i noticed you are trying to change the levelrange associated with system_u, but there currently is a login mapping in place that associates system_u, and a range that exceeds that of system_u with a linux id. I can't do that!"
Now when you try to change the range associated with system_u back to the old state. libsemanage wont allow you to because there is a login mapping of system_u with a range that exceeds the current range.
So if this is at all possible without manually editting /etc/selinux/*/seusers(.local)? then try and use semanage to make the range of any login mapping that applies to system_u equal or less than the range associated with system_u id
I hope this makes sense, i realise that it is kind of confusing
>
>
>
> Thanks
>
> rowan
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2015-08-14 8:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-14 6:45 selinux mls/mcs rang modify rowan
2015-08-14 8:22 ` Dominick Grift [this message]
2015-08-18 6:19 ` 答复: " rowan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150814082256.GA26540@x250 \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.