The MCS implementation has been changed a bit over the years on the policy side. Back in the earlier day's MCS was enforced on all proceses in redhat distro's by default Nowaday's that is no longer the case, and you need to opt-in for it by associating the mcs_constrained_type type attribute with the type of the process to constrain. In rhel6 this attribute name does not exist i suspect. It was renamed to aforementioned later. A seinfo -a | grep mcs might reveal the type attribute used for the same in RHEL6. (i think its something with trusted or untrusted, dunno for sure) On Thu, Feb 19, 2015 at 08:23:16AM -0500, Stephen Smalley wrote: > On 02/18/2015 08:48 PM, Tracy Reed wrote: > > Hello all, > > > > I am implementing Multi-Category Security for a client to contain various > > different instances of their web application which all run on the same box. > > This sort of multi-tenant operation seems like a perfect fit for MCS. > > > > I am using the following guide as a basis for getting started: > > > > https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mcs-getstarted.html > > > > However, I am actually running CentOS 6. I can't seem to find a CentOS 6 > > version of this guide. > > > > When I try to add the category to the user I get this error: > > > > [mcstest:/root]# chcat -l -- +user1 user1 > > libsemanage.validate_handler: MLS range s0-s0:c1 for Unix user user1 exceeds allowed range s0 for SELinux user user_u (No such file or directory). > > libsemanage.validate_handler: seuser mapping [user1 -> (user_u, s0-s0:c1)] is invalid (No such file or directory). > > libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). > > /usr/sbin/semanage: Could not commit semanage transaction > > > > Here's some relevant config info: > > > > [mcstest:/root]# chcat -L > > s0:c1 user1 > > s0:c2 user2 > > s0:c3 user3 > > s0 SystemLow > > s0-s0:c0.c1023 SystemLow-SystemHigh > > s0:c0.c1023 SystemHigh > > > > > > [mcstest:/root]# semanage user -l > > > > Labeling MLS/ MLS/ > > SELinux User Prefix MCS Level MCS Range SELinux Roles > > > > git_shell_u user SystemLow SystemLow git_shell_r > > guest_u user SystemLow SystemLow guest_r > > root user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r > > staff_u user SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r unconfined_r > > sysadm_u user SystemLow SystemLow-SystemHigh sysadm_r > > system_u user SystemLow SystemLow-SystemHigh system_r unconfined_r > > unconfined_u user SystemLow SystemLow-SystemHigh system_r unconfined_r > > user_u user SystemLow SystemLow user_r > > xguest_u user SystemLow SystemLow xguest_r > > > > I notice that the MCS Range for user_u is only SystemLow. In the documentation > > referenced above the output of this command shows user_u as: > > > > user_u user s0 s0-s0:c0.c1023 system_r sysadm_r user_r > > > > so the MCS range is s0-s0:c0.c1023. This seems to be what is missing in my > > setup. But I don't understand how to allow that MCS Range for user_u. > > > > Any pointers are greatly appreciated. Thanks! > > semanage user -m -r s0-s0:c0.c1023 user_u > > > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpQ3crrxPQKU.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
