On 02/19/2015 09:02 PM, Tracy Reed wrote: > On Thu, Feb 19, 2015 at 04:34:25PM PST, Tracy Reed spake thusly: >> # semanage login -l > > Ok, part of my confusion here is that I've been confusing semanage login with > semanage user. It's been a while since I've dealt with SELinux. I understand > that semanage login -l shows what Linux users map to what selinux users: > >> Login Name SELinux User MLS/MCS Range >> >> __default__ unconfined_u SystemLow-SystemHigh >> p16001 p16001_u p16001 >> p16002 appuser_u s0:c1.c499-s0:c2 >> p16003 appuser_u s0:c1.c499-s0:c3 >> p16004 unconfined_u s0-s0:c0.c1023,c4 >> p16005 unconfined_u s0-s0:c0.c1023,c4,c5 >> p16006 unconfined_u s0-s0:c0.c1023,c6 >> p16007 unconfined_u s0-s0:c0.c1023,c7 >> p16008 unconfined_u s0-s0:c0.c1023,c8 >> p16009 unconfined_u s0-s0:c0.c1023,c9 >> root unconfined_u SystemLow-SystemHigh >> system_u system_u SystemLow-SystemHigh > > So we are mapping p16002 to appuser_u but appuser_u doesn't exist at the > moment. But what's with the MLS/MCS range column? Is this saying p16002 has > categories s0:c1.c499-s0:c2 is it saying appuser_u (selinux user) has > categories s0:c1.c499-s0:c2? Given that the selinux user is the same but the > categories listed are different for Linux login users p16002 and p16003 I would > think it is saying those categories go with those Linux login users. The user mapping (i.e. semanage user) is part of the kernel policy; for each SELinux user, it specifies the maximum range and authorized roles for the user. The login mapping (i.e. semanage login) is a purely userspace policy; it specifies how to map a given Linux login to a SELinux user and to a more specific range. The more specific range for a Linux login should always be a subset of the range authorized for the underlying SELinux user; the kernel won't let you create a process with a given SELinux user with a range that exceeds the maximum authorized in its policy. So your login mapping is wrong. > And that is different yet with respect to the output of the chcat command: > > # chcat -L -l p16001 p16002 > p16001: s0:c0.c1023 > p16002: s0:c0.c1023 > > This says p16001 and p16002 have access to all categories. I wouldn't rely on chcat for anything; I'm not sure it is even being maintained as it only made sense for the original user-centric discretionary MCS model. Just use semanage to manage the login and user mappings, and chcon -l to set levels on files (or, better, add entries to file contexts via semanage fcontext and use restorecon to set the labels to match; otherwise a relabel may override them). _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
