Bug 1410888 - semanage login fails to set up selinux user name for a default user
Summary: semanage login fails to set up selinux user name for a default user
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-06 17:38 UTC by Jakub Jelen
Modified: 2020-05-20 07:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-29 16:11:11 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jakub Jelen 2017-01-06 17:38:20 UTC
Description of problem:
While trying to reproduce (set up the environment for) the bug #1410785, I ran into the issue with semanage login.

Version-Release number of selected component (if applicable):
policycoreutils-python-2.5-9.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. Have a clean RHEL7.3 machine (or updated from RHEL7.x?)
2. Run semanage login -m -s user_u __default__

Actual results:

[root@rhel7 ~]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
[root@rhel7 ~]# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory

The SELinux user is not changed.

Expected results:

Successful change the SELinux user for __default__

Additional info:
Known workaround is to use 

    semanage login -m -s user_u -r s0 __default__

which works and modifies the database properly.

Comment 1 Jakub Jelen 2017-06-29 14:44:56 UTC
The problem still persists in RHEL7.4:

# semanage login -m -s user_u __default__
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user __default__ exceeds allowed range s0 for SELinux user user_u (No such file or directory).
libsemanage.validate_handler: seuser mapping [__default__ -> (user_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory
# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *
# rpm -q policycoreutils-python
policycoreutils-python-2.5-17.1.el7.x86_64
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 Beta (Maipo)


Please, do not close bugs without comments explaining why it is not a bug for you.

Comment 2 Petr Lautrbach 2017-06-29 16:11:11 UTC
I'd say that the workaround you described is actually the correct command you need to run.

# semanage login -m -s user_u __default__

This command changes SELinux user assigned to __default__ to user_u but it doesn't change MLS/MCS range. It means that login __default__ would use staff_u SELinux user with s0-s0:c0.c1023 range and this is not allowed as user_u is allowed only with s0 range.

Therefore you need to change the range as well:

# semanage login -m -s user_u -r s0 __default__


Note You need to log in before you can comment on or make changes to this bug.