Re: MCS Levels and Ranges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2009-04-14 at 16:01 -0700, Brian Ginn wrote:
> How should I interpret the following?
> The MCS Level and Range are confusing me.
> Or perhaps the difference between user and login is confusing me.
> 
> 'semanage login -l' shows user_u has Range s0
> 'semanage user -l'  shows user_u has Level s0 and Range SystemLow-SystemHigh

No, semanage login -l shows that by default, all Linux users are mapped
to the SELinux user identity user_u and assigned the range s0 at login
time.  semanage user -l shows that SELinux user identity user_u is
authorized for the range SystemLow-SystemHigh in the security policy.

There are two distinct user identities:
1) The Linux user identities as defined by the passwd database,
2) The SELinux user identities defined in the security policy
configuration.

semanage login acts on the "seusers" configuration, which defines how to
map each Linux user identity to a SELinux user identity and a login
range.  semanage user acts on the policy-defined SELinux user identities
and their associated roles and range.  

The range for the Linux user must be a subset of the range for the
SELinux user.  But multiple Linux users with different ranges might be
mapped to a single SELinux user whose range covers all of their
individual ranges. 

> 
> [root@rhel5 ~]# semanage login -l
>  
> Login Name                SELinux User              MLS/MCS Range
>  
> __default__               user_u                    s0
> root                      root                      SystemLow-SystemHigh
> [root@rhel5 ~]# semanage user -l
>  
>                 Labeling   MLS/       MLS/
> SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
>  
> root            user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
> system_u        user       s0         SystemLow-SystemHigh           system_r
> user_u          user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
> [root@rhel5 ~]#
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux