MCS error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

I am implementing Multi-Category Security for a client to contain various
different instances of their web application which all run on the same box.
This sort of multi-tenant operation seems like a perfect fit for MCS.

I am using the following guide as a basis for getting started:

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html

However, I am actually running CentOS 6. I can't seem to find a CentOS 6
version of this guide.

When I try to add the category to the user I get this error:

[mcstest:/root]# chcat -l -- +user1 user1
libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

Here's some relevant config info:

[mcstest:/root]# chcat -L 
s0:c1                          user1
s0:c2                          user2
s0:c3                          user3
s0                             SystemLow
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh


[mcstest:/root]# semanage user -l 

Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       SystemLow  SystemLow                      git_shell_r
guest_u         user       SystemLow  SystemLow                      guest_r
root            user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
staff_u         user       SystemLow  SystemLow-SystemHigh           staff_r sysadm_r system_r unconfined_r
sysadm_u        user       SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
unconfined_u    user       SystemLow  SystemLow-SystemHigh           system_r unconfined_r
user_u          user       SystemLow  SystemLow                      user_r
xguest_u        user       SystemLow  SystemLow                      xguest_r

I notice that the MCS Range for user_u is only SystemLow. In the documentation
referenced above the output of this command shows user_u as:

user_u                  user           s0                      s0-s0:c0.c1023    system_r sysadm_r user_r

so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my
setup. But I don't understand how to allow that MCS Range for user_u.

Any pointers are greatly appreciated. Thanks!

-- 
Tracy Reed

Attachment: pgpyz80ru00QX.pgp
Description: PGP signature

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux