Dear Dominick, Thanks for your help At first I unmap all the linux uid from system_u, then I change the rang back successfully. Thanks rowan -----邮件原件----- 发件人: Selinux [mailto:selinux-bounces@xxxxxxxxxxxxx] 代表 Dominick Grift 发送时间: 2015年8月14日 16:23 收件人: selinux@xxxxxxxxxxxxx 主题: Re: selinux mls/mcs rang modify On Fri, Aug 14, 2015 at 02:45:05PM +0800, rowan wrote: > Dear all, > > When do test, I use semanage change the mls/mcs range of > selinux user 'system_u' from 's0-s0:c0.c1023' to 's0-s0:c0.c1020',cmd > as bleow > > 'semanage user -m -r s0-s0:c0.c1020 system_u' > > > > How do I change it back? I think I know what you are getting at here. Libsemanage does not do a good job with validation. you could try to remove or change any login mappings of system_u that authorize use of categories that exceeds the range associated with system_u user mapping first , or change that range so that it is equal to or fall in the range of the system_u user mapping. What, i think happened was, is that libsemanage allowed you to change the range associated with the system_u id, even though there is a login mapping in place that associates one or more linux uids with system_u and a range that exceeds the range that is associated with system_u libsemanage shouldnt have let you done that in the first place. It should have said instead: " Hey! i noticed you are trying to change the levelrange associated with system_u, but there currently is a login mapping in place that associates system_u, and a range that exceeds that of system_u with a linux id. I can't do that!" Now when you try to change the range associated with system_u back to the old state. libsemanage wont allow you to because there is a login mapping of system_u with a range that exceeds the current range. So if this is at all possible without manually editting /etc/selinux/*/seusers(.local)? then try and use semanage to make the range of any login mapping that applies to system_u equal or less than the range associated with system_u id I hope this makes sense, i realise that it is kind of confusing > > > > Thanks > > rowan > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxx. gov. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
