You are correct - my mistake in the original post. I too was unable to reproduce on FC11. Originally observed the problem in RHEL5.3 (selinux-policy-targeted.noarch 2.4.6-203.el5) using targeted policy v21 enforcing.
On RHEL5.3, if I assign >6 non contiguous categories, the mappings are lost.
For example, assigning six noncontiguous categories to a user works just fine:
# semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13 user_1
<login as user_1>
id -Z
user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13
<logout of user_1>
Now, assign 7 categories to user_1
# semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1
All 7 category mappings appear to have been applied:
# semanage login -l
user_1 user_u s0-s0:c3,c5,c7,c9,c11,c13,c15
However, as user_1, the 7 category mappings are not linked to the user per the id -Z command. Subsequent attempts to open a file requiring the 7 categories as user_1 fails:
login as user_1 after the 7 categories have been assigned:
id -Z
user_u:system_r:unconfined_t:s0
--- On Mon, 8/17/09, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Subject: Re: MCS Max Number of Category Element Comparisions?
To: "Sam Marshall" <sm3501@xxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Date: Monday, August 17, 2009, 11:29 AM
On Fri, 2009-08-14 at 13:30 -0700, Sam Marshall wrote:
> Hi,
>
> In FC11, is there a limit to the number of category elements that can
> be compared to make access decisions using MCS? My understanding is
> that up to 1024 categories can be assigned in setrans.conf, however,
> only six or fewer categories can be used for comparision to make
> access decisions.
>
> For example, when I assign a login user to 7 categories (e.g., s:0,
> c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same
> categories number, permission is denied if the user tries to cat out
> the file(Unix dacl permissions allow the user read access)
>
> When I assign less than 7 of the exact same categories to the file and
> user, the user can open the file.
>
> I've tried using ranges (c2.c5, c10.c18, etc ), and found that
there
> appears to be a four element limitation with the range notation.
>
> Does this sound right?
No, that sounds like a bug. Can you provide more specifics, please?
The following worked for me just fine:
# useradd foo
# passwd foo
# semanage login -a -s unconfined_u -r s0-s0:c0,c1,c2,c5,c8,c11,c12,c19 foo
# ssh -l foo localhost
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c2,c5,c8,c11,c12,c19
$ echo hello > foo
$ chcon -l s0:c0.c2,c5,c8,c11,c12,c19 foo
$ cat foo
hello
--
Stephen Smalley
National Security Agency
|
