Bug 1410888

Summary: semanage login fails to set up selinux user name for a default user
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Jelen <jjelen>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dwalsh, fukidid, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-29 16:11:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2017-01-06 17:38:20 UTC 
Description of problem:
While trying to reproduce (set up the environment for) the bug #1410785, I ran into the issue with semanage login.

Version-Release number of selected component (if applicable):
policycoreutils-python-2.5-9.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. Have a clean RHEL7.3 machine (or updated from RHEL7.x?)
2. Run semanage login -m -s user_u __default__

Actual results:

[root@rhel7 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[root@rhel7 ~]# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory

The SELinux user is not changed.

Expected results:

Successful change the SELinux user for __default__

Additional info:
Known workaround is to use 

    semanage login -m -s user_u -r s0 __default__

which works and modifies the database properly.
Comment 1 Jakub Jelen 2017-06-29 14:44:56 UTC 
The problem still persists in RHEL7.4:

# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory
# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
# rpm -q policycoreutils-python
policycoreutils-python-2.5-17.1.el7.x86_64
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)


Please, do not close bugs without comments explaining why it is not a bug for you.
Comment 2 Petr Lautrbach 2017-06-29 16:11:11 UTC 
I'd say that the workaround you described is actually the correct command you need to run.

# semanage login -m -s user_u __default__

This command changes SELinux user assigned to __default__ to user_u but it doesn't change MLS/MCS range. It means that login __default__ would use staff_u SELinux user with s0-s0:c0.c1023 range and this is not allowed as user_u is allowed only with s0 range.

Therefore you need to change the range as well:

# semanage login -m -s user_u -r s0 __default__