chcat problem
pandalists at free.fr
pandalists at free.fr
Tue Jan 23 17:36:08 UTC 2007
Hi,
I am currently trying teach myself SELinux on a Fedora FC6 box (VMware),
configured with the strict policy running in permissive mode.
I followed the instructions provided on
http://james-morris.livejournal.com/8228.html to play with MCS functions, but I
get an error when I try to assign a category "Public" to an unprivileged user
"foo" with the chcat command (as root, with sysadm role)
-----------------------------------------------
# chcat -l -- +Public foo
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow
ed range s0 for SELinux user user_u
libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva
lid
libsemanage.dbase_llist_iterate: could not iterate over records
-----------------------------------------------
Other techniques to achieve the same result (e.g. trying to assign this category
with semanage) leads the same error.
-----------------------------------------------
# semanage login -l
__default__ user_u s0
foo user_u s0
root root SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
# semanage user -l
root sysadm s0 SystemLow-SystemHigh system_r sy
sadm_r staff_r
staff_u staff s0 SystemLow-SystemHigh sysadm_r st
aff_r
sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 s0 user_r
-----------------------------------------------
My setrans.conf file contains :
s0:c0=Public
s0:c1=Confidential
s0:c2=Secret
s0:c3=TopSecret
Any idea?
Apart from that, setting a category on a non-existing file leads to a
segmentation fault :
# chcat -- +Public doesnotexist.txt
Segmentation fault
Thanks for your help,
Ben
More information about the fedora-selinux-list
mailing list