Bug 1410888
Summary: | semanage login fails to set up selinux user name for a default user | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Jelen <jjelen> |
Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | dwalsh, fukidid, lvrabec, mgrepl, mmalik, plautrba, ssekidde |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-06-29 16:11:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Jelen
2017-01-06 17:38:20 UTC
The problem still persists in RHEL7.4: # semanage login -m -s user_u __default__ libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory). libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). OSError: No such file or directory # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * # rpm -q policycoreutils-python policycoreutils-python-2.5-17.1.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 Beta (Maipo) Please, do not close bugs without comments explaining why it is not a bug for you. I'd say that the workaround you described is actually the correct command you need to run. # semanage login -m -s user_u __default__ This command changes SELinux user assigned to __default__ to user_u but it doesn't change MLS/MCS range. It means that login __default__ would use staff_u SELinux user with s0-s0:c0.c1023 range and this is not allowed as user_u is allowed only with s0 range. Therefore you need to change the range as well: # semanage login -m -s user_u -r s0 __default__ |