chcat problem

Daniel J Walsh dwalsh at redhat.com
Wed Jan 24 17:23:32 UTC 2007


pandalists at free.fr wrote:
> Hi,
>
> I am currently trying teach myself SELinux on a Fedora FC6 box (VMware),
> configured with the strict policy running in permissive mode.
>
> I followed the instructions provided on
> http://james-morris.livejournal.com/8228.html to play with MCS functions, but I
> get an error when I try to assign a category "Public" to an unprivileged user
> "foo" with the chcat command (as root, with sysadm role)
>
> -----------------------------------------------
> # chcat -l -- +Public foo
>
> libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow
> ed range s0 for SELinux user user_u
> libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva
> lid
> libsemanage.dbase_llist_iterate: could not iterate over records
> -----------------------------------------------
>
>   
Looks like a bug.   Does

chcon -l -- +s0:c0 foo
work?
> Other techniques to achieve the same result (e.g. trying to assign this category
> with semanage) leads the same error.
>
> -----------------------------------------------
> # semanage login -l
> __default__               user_u                    s0
> foo                       user_u                    s0
> root                      root                      SystemLow-SystemHigh
> system_u                  system_u                  SystemLow-SystemHigh
>
> # semanage user -l
> root            sysadm     s0         SystemLow-SystemHigh           system_r sy
> sadm_r staff_r
> staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r st
> aff_r
> sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
> system_u        user       s0         SystemLow-SystemHigh           system_r
> user_u          user       s0         s0                             user_r
> -----------------------------------------------
>
> My setrans.conf file contains :
>
> s0:c0=Public
> s0:c1=Confidential
> s0:c2=Secret
> s0:c3=TopSecret
>
> Any idea?
>
>   
> Apart from that, setting a category on a non-existing file leads to a
> segmentation fault :
> # chcat -- +Public doesnotexist.txt
> Segmentation fault
>
>   
libselinux python binding has a bug.  Fixed in libselinux-1.33.4-3.el5, 
libselinux-1.34.0-3.fc7
> Thanks for your help,
>
> Ben
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   




More information about the fedora-selinux-list mailing list