1410888 – semanage login fails to set up selinux user name for a default user

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1410888 - semanage login fails to set up selinux user name for a default user

Summary: semanage login fails to set up selinux user name for a default user

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-06 17:38 UTC by Jakub Jelen
Modified:	2020-05-20 07:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-29 16:11:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jakub Jelen 2017-01-06 17:38:20 UTC

Description of problem:
While trying to reproduce (set up the environment for) the bug #1410785, I ran into the issue with semanage login.

Version-Release number of selected component (if applicable):
policycoreutils-python-2.5-9.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. Have a clean RHEL7.3 machine (or updated from RHEL7.x?)
2. Run semanage login -m -s user_u __default__

Actual results:

[root@rhel7 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[root@rhel7 ~]# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory

The SELinux user is not changed.

Expected results:

Successful change the SELinux user for __default__

Additional info:
Known workaround is to use 

    semanage login -m -s user_u -r s0 __default__

which works and modifies the database properly.

Comment 1 Jakub Jelen 2017-06-29 14:44:56 UTC

The problem still persists in RHEL7.4:

# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory
# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
# rpm -q policycoreutils-python
policycoreutils-python-2.5-17.1.el7.x86_64
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)


Please, do not close bugs without comments explaining why it is not a bug for you.

Comment 2 Petr Lautrbach 2017-06-29 16:11:11 UTC

I'd say that the workaround you described is actually the correct command you need to run.

# semanage login -m -s user_u __default__

This command changes SELinux user assigned to __default__ to user_u but it doesn't change MLS/MCS range. It means that login __default__ would use staff_u SELinux user with s0-s0:c0.c1023 range and this is not allowed as user_u is allowed only with s0 range.

Therefore you need to change the range as well:

# semanage login -m -s user_u -r s0 __default__

Note You need to log in before you can comment on or make changes to this bug.