On Tue, 2009-04-14 at 16:01 -0700, Brian Ginn wrote: > How should I interpret the following? > The MCS Level and Range are confusing me. > Or perhaps the difference between user and login is confusing me. > > 'semanage login -l' shows user_u has Range s0 > 'semanage user -l' shows user_u has Level s0 and Range SystemLow-SystemHigh No, semanage login -l shows that by default, all Linux users are mapped to the SELinux user identity user_u and assigned the range s0 at login time. semanage user -l shows that SELinux user identity user_u is authorized for the range SystemLow-SystemHigh in the security policy. There are two distinct user identities: 1) The Linux user identities as defined by the passwd database, 2) The SELinux user identities defined in the security policy configuration. semanage login acts on the "seusers" configuration, which defines how to map each Linux user identity to a SELinux user identity and a login range. semanage user acts on the policy-defined SELinux user identities and their associated roles and range. The range for the Linux user must be a subset of the range for the SELinux user. But multiple Linux users with different ranges might be mapped to a single SELinux user whose range covers all of their individual ranges. > > [root@rhel5 ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root SystemLow-SystemHigh > [root@rhel5 ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > root user s0 SystemLow-SystemHigh system_r sysadm_r user_r > system_u user s0 SystemLow-SystemHigh system_r > user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r > [root@rhel5 ~]# > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
