Bug 519441 - Unable to Assign >6 Non Contiguious MCS Categories to a User
Summary: Unable to Assign >6 Non Contiguious MCS Categories to a User
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.3
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-26 16:03 UTC by sm3501
Modified: 2009-08-26 17:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-26 17:22:45 UTC


Attachments (Terms of Use)

Description sm3501 2009-08-26 16:03:54 UTC
Description of problem:
It is not possible to assign >6 non-contiguous MCS labels to a user (e.g., s0-s0:c3,c5,c7,c9,c11,c13,c15). 

Version-Release number of selected component (if applicable):
RHEL5.3 (selinux-policy-targeted.noarch 2.4.6-203.el5) using targeted policy v21 enforcing

How reproducible:
Assign 7 categories to user_1
# semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1

All 7 category mappings appear to have been applied:
# semanage login -l
user_1 user_u s0-s0:c3,c5,c7,c9,c11,c13,c15

However, as user_1, the 7 category mappings are not linked to the user per the id -Z command. Subsequent attempts to open a file requiring the 7 categories as user_1 fails:

login as user_1 after the 7 categories have been assigned:
id -Z
user_u:system_r:unconfined_t:s0

Expected result of id -Z as user:1 would be:
user_u:system_r:unconfined_t:s0:c3,c5,c7,c9,c11,c13,c15

Assigning six noncontiguous categories to a user works just fine:
# semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13 user_1
 
<login as user_1>
id -Z
user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13

<logout of user_1>
 

Steps to Reproduce:
1. As root, semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1
2. Login as user_1
3. id -Z
  
Actual results:
user_u:system_r:unconfined_t:s0

Expected results:
user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13

Additional info:
Unable to reproduce in Fedora 11

Comment 1 Daniel Walsh 2009-08-26 17:22:45 UTC
semanage user -l | grep user_u
user_u          user       s0         s0                             user_r

You can not have more categories that the SELinux user.

If you want to have a user_u with these categories, you first need to change the user record

semanage user -m -r s0-s0:c0.c1023 user_u

Then your semanage login should work


Note You need to log in before you can comment on or make changes to this bug.