Re: MCS error - Stephen Smalley

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Tracy Reed <treed@ultraviolet.org>, selinux@tycho.nsa.gov
Subject: Re: MCS error
Date: Thu, 19 Feb 2015 08:23:16 -0500	[thread overview]
Message-ID: <54E5E3C4.40904@tycho.nsa.gov> (raw)
In-Reply-To: <20150219014803.GB12937@tracyreed.org>

On 02/18/2015 08:48 PM, Tracy Reed wrote:
> Hello all,
> 
> I am implementing Multi-Category Security for a client to contain various
> different instances of their web application which all run on the same box.
> This sort of multi-tenant operation seems like a perfect fit for MCS.
> 
> I am using the following guide as a basis for getting started:
> 
> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html
> 
> However, I am actually running CentOS 6. I can't seem to find a CentOS 6
> version of this guide.
> 
> When I try to add the category to the user I get this error:
> 
> [mcstest:/root]# chcat -l -- +user1 user1
> libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
> libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
> libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
> /usr/sbin/semanage: Could not commit semanage transaction
> 
> Here's some relevant config info:
> 
> [mcstest:/root]# chcat -L 
> s0:c1                          user1
> s0:c2                          user2
> s0:c3                          user3
> s0                             SystemLow
> s0-s0:c0.c1023                 SystemLow-SystemHigh
> s0:c0.c1023                    SystemHigh
> 
> 
> [mcstest:/root]# semanage user -l 
> 
> Labeling   MLS/       MLS/                          
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
> 
> git_shell_u     user       SystemLow  SystemLow                      git_shell_r
> guest_u         user       SystemLow  SystemLow                      guest_r
> root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
> sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
> system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
> user_u          user       SystemLow  SystemLow                      user_r
> xguest_u        user       SystemLow  SystemLow                      xguest_r
> 
> I notice that the MCS Range for user_u is only SystemLow. In the documentation
> referenced above the output of this command shows user_u as:
> 
> user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r
> 
> so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
> setup. But I don't understand how to allow that MCS Range for user_u.
> 
> Any pointers are greatly appreciated. Thanks!

 semanage user -m -r s0-s0:c0.c1023 user_u

next prev parent reply	other threads:[~2015-02-19 13:23 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-19  1:48 MCS error Tracy Reed
2015-02-19 13:23 ` Stephen Smalley [this message]
2015-02-19 15:40   ` Dominick Grift
2015-02-19 19:33     ` Tracy Reed
2015-02-19 19:46       ` Stephen Smalley
2015-02-19 20:17         ` Tracy Reed
2015-02-19 20:27           ` Stephen Smalley
2015-02-19 21:14           ` Dominick Grift
2015-02-19 20:48       ` Dominick Grift
2015-02-19 21:26         ` Thomas Hurd
2015-02-20  0:34         ` Tracy Reed
2015-02-20  2:02           ` Tracy Reed
2015-02-20  7:33             ` Dominick Grift
2015-02-20 23:27               ` Tracy Reed
2015-02-20 23:38                 ` Joshua Brindle
2015-02-21 13:07                 ` Dominick Grift
2015-02-20 17:44             ` Stephen Smalley
2015-02-20 13:38           ` Stephen Smalley
2015-02-20 16:56             ` Tracy Reed
2015-02-20 17:08               ` Stephen Smalley
2015-02-20 17:33                 ` Stephen Smalley
2015-02-20 22:10                   ` Tracy Reed
2015-02-23 14:43                     ` Stephen Smalley
2015-02-20 22:07                 ` Tracy Reed
2015-02-19 16:19 ` Stephen Smalley
2015-02-19 19:58   ` Tracy Reed
2015-02-19 20:24     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54E5E3C4.40904@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=treed@ultraviolet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.