* strange semanage user|login errors
@ 2009-04-11 15:02 Sebastian Pfaff
2009-04-11 16:44 ` Sebastian Pfaff
0 siblings, 1 reply; 3+ messages in thread
From: Sebastian Pfaff @ 2009-04-11 15:02 UTC (permalink / raw)
To: selinux
hello,
i want to change cateogories which i have enabled with "semanage user -
a -r 's0-s0:c0.c100' user_u" of user_u - but i can't:
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
========================================================================
[root@SecLab home]# semanage user -m -r 's0-s0:c0.c1023' user_u
libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
allowed range s0:c0.c100 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I also can't remove login of user and user2:
============================================
1 [root@SecLab home]# semanage login -d -s user_u user
2 libsemanage.validate_handler: MLS range s0 for Unix user user2
exceeds allowed range s0:c0.c100 for SELinux user user_u (No such file
or directory).
3 libsemanage.validate_handler: seuser mapping [user2 -> (user_u, s0)]
is invalid (No such file or directory).
4 libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
5 /usr/sbin/semanage: Could not commit semanage transaction
1 [root@SecLab home]# semanage login -d -s user_u user2
2 libsemanage.validate_handler: MLS range s0 for Unix user user
exceeds allowed range s0:c0.c100 for SELinux user user_u (No such file
or directory).
3 libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)]
is invalid (No such file or directory).
4 libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
5 /usr/sbin/semanage: Could not commit semanage transaction
Interesting here is seuser mapping part (see line 3) . When i try to
delete user semanage says that mapping user_2_ is invalid and when i
try to delete user_2_ semanage says that mapping user is invalid.
Even when i try to modify range of staff_u i get this error:
============================================================
[root@SecLab home]# semanage user -m -r 's0-s0:c0.c300' staff_u
libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
allowed range s0:c0.c100 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I have tried many combinations of semanage {login|user} with "nearly"
all possible combinations of options, but i always get these error(s).
i have problems to interprete the error message adequately.
Espesically the part "(No such file or directory)" isn't clear to me.
The linux users user and user2 are already removed with userdel -r
user and userdel -r user2.
Maybe i should mention that it isn't possible to add a new linux user
which is associated with user_u:
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
========================================================================
[root@SecLab home]# useradd -Z user_u user3
libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
allowed range s0:c0.c100 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
useradd: warning: the user name user3 to user_u SELinux user mapping
failed.
Last but not least here my (chaotic) login/user mappings:
=========================================================
[root@SecLab home]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c200
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r
testuser user s0 s0
staff_r unconfined_r
testuser2 user s0 s0
staff_r
testuser3_u user s0 s0
staff_r
unconfined_u user s0 s0-s0:c0.c1023
system_r webadm_r unconfined_r
user_u user s0 s0:c0.c100
user_r
xguest_u user s0 s0
xguest_r
[root@SecLab home]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0
hello staff_u s0
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
testuser staff_u s0
testuser2 testuser2 s0
testuser3 testuser3_u s0
user user_u s0
user2 user_u s0
BTW: i use F10. If you need further information, please let me know.
Happy Easter.
--
Sebastian Pfaff
PS: I also can't add another selinux user:
======================================
[root@SecLab home]# semanage user -a -R 'staff_r' foo_u
libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
allowed range s0:c0.c100 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: strange semanage user|login errors
2009-04-11 15:02 strange semanage user|login errors Sebastian Pfaff
@ 2009-04-11 16:44 ` Sebastian Pfaff
2009-04-13 11:34 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Sebastian Pfaff @ 2009-04-11 16:44 UTC (permalink / raw)
To: selinux
I think big parts of my selinux installation are broken, i can't do
any management task:
[root@SecLab selinux_fcontext]# semodule -i *pp
libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
allowed range s0:c0.c100 for SELinux user user_u (No such file or
directory).
libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No
such file or directory).
semodule: Failed
tnx in advance
--
Sebastian Pfaff
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: strange semanage user|login errors
2009-04-11 16:44 ` Sebastian Pfaff
@ 2009-04-13 11:34 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2009-04-13 11:34 UTC (permalink / raw)
To: Sebastian Pfaff; +Cc: selinux
On 04/11/2009 12:44 PM, Sebastian Pfaff wrote:
> I think big parts of my selinux installation are broken, i can't do
> any management task:
>
> [root@SecLab selinux_fcontext]# semodule -i *pp
> libsemanage.validate_handler: MLS range s0 for Unix user user exceeds
> allowed range s0:c0.c100 for SELinux user user_u (No such file or
> directory).
> libsemanage.validate_handler: seuser mapping [user -> (user_u, s0)] is
> invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No
> such file or directory).
> semodule: Failed
>
> tnx in advance
>
> --
> Sebastian Pfaff
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
You have setup an SELinux user_u record with a range of one category
s0:c0.c100, and then are trying to add Linux login users to this user
with a different category s0
semanage user -l | grep user_u
If you want to change the list of categories available to user_u you
would execute
semanage user -m -r s0-s0:c0.c100 user_u
Which would allow you to add linux users with any range of categories
form s0 to so:c0.c100.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-04-13 11:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-11 15:02 strange semanage user|login errors Sebastian Pfaff
2009-04-11 16:44 ` Sebastian Pfaff
2009-04-13 11:34 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.