Hello Phil,
I have tried your suggestion of extending the user_u definition
without success:
# semanage user -l
Labeling MLS/
MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemLow user_r
xguest_u user SystemLow
SystemLow xguest_r
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/
MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
git_shell_u user SystemLow
SystemLow git_shell_r
guest_u user SystemLow
SystemLow guest_r
root user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
staff_u user SystemLow
SystemLow-SystemHigh staff_r sysadm_r system_r
unconfined_r
sysadm_u user SystemLow
SystemLow-SystemHigh sysadm_r
system_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
unconfined_u user SystemLow
SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow
SystemHigh user_r
xguest_u user SystemLow
SystemLow xguest_r
# useradd kate
# passwd kate
Changing password for user kate.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a kate
libsemanage.validate_handler: MLS range s0 for Unix user
regularuser exceeds allowed range s0:c0.c1023 for SELinux user
user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [regularuser ->
(user_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records
(No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would greatly appreciate any other hints to make this work.
Regards,
Bill
On 5/23/2017 8:42 PM, Philip Seeley
wrote:
Hi Bill,
This is probably because the default RHEL6
configuration does not include any categories in the user_u
SELinux user's range:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
guest_u user s0 s0
guest_r
root user s0
s0-s0:c0.c1023 staff_r sysadm_r system_r
unconfined_r
staff_u user s0
s0-s0:c0.c1023 staff_r sysadm_r system_r
unconfined_r
sysadm_u user s0
s0-s0:c0.c1023 sysadm_r
system_u user s0
s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0
s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0
user_r
You probably have to extend the user definition
to include the categories you're using. As an example, this
gives all categories:
# semanage user -m -r s0:c0.c1023 user_u
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS
Range SELinux Roles
guest_u user s0 s0
guest_r
root user s0
s0-s0:c0.c1023 staff_r sysadm_r system_r
unconfined_r
staff_u user s0
s0-s0:c0.c1023 staff_r sysadm_r system_r
unconfined_r
sysadm_u user s0
s0-s0:c0.c1023 sysadm_r
system_u user s0
s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0
s0-s0:c0.c1023 system_r unconfined_r
user_u user s0
s0:c0.c1023 user_r
Hope that helps.
Phil
Bill Durant ---24/05/2017 12:34:53---Hello
Phil: Thank you for the suggestion. I have tried the steps
from the URL that
From: Bill
Durant <littus@xxxxxxxxxx>
To: Philip
Seeley <pseeley@xxxxxxxxxxx>
Cc: littus@xxxxxxxxxx,
selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date: 24/05/2017
12:34
Subject: Re:
Controlling execution of Java JAR files with SELinux RBAC
Hello Phil:
Thank you for the suggestion. I have tried the steps from the
URL that you provided without success.
I get an error when I try to assign Linux user mary to an
SELinux login as follows:
# cat /etc/redhat-release
CentOS release 6.9 (Final)
;;; Add "s0:c0=NetworkAdministrator" and "s0:c1=Operator" to
/etc/selinux/targeted/setrans.conf
# cat /etc/selinux/targeted/setrans.conf
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-1023 categories defined by
the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c1023. Users can
use this
# table to translate the categories into a more meaningful
output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0:c0=NetworkAdministrator
s0:c1=Operator
s0=SystemLow
s0-s0:c0.c1023=SystemLow-SystemHigh
s0:c0.c1023=SystemHigh
# service mcstrans start
# chcat -L
s0:c0 NetworkAdministrator
s0:c1 Operator
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
# useradd mary
# passwd mary
Changing password for user mary.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# semanage login -a mary
# chcat -l -- +NetworkAdministrator mary
libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user
mary exceeds allowed range s0 for SELinux user user_u (No such
file or directory).
libsemanage.validate_handler: seuser mapping [mary ->
(user_u, s0-s0:c0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records
(No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
I would appreciate any hints on how to resolve that error.
Thanks!
Bill
On 05/23/2017 05:49 PM, Philip Seeley wrote:
