Description of problem: It is not possible to assign >6 non-contiguous MCS labels to a user (e.g., s0-s0:c3,c5,c7,c9,c11,c13,c15). Version-Release number of selected component (if applicable): RHEL5.3 (selinux-policy-targeted.noarch 2.4.6-203.el5) using targeted policy v21 enforcing How reproducible: Assign 7 categories to user_1 # semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1 All 7 category mappings appear to have been applied: # semanage login -l user_1 user_u s0-s0:c3,c5,c7,c9,c11,c13,c15 However, as user_1, the 7 category mappings are not linked to the user per the id -Z command. Subsequent attempts to open a file requiring the 7 categories as user_1 fails: login as user_1 after the 7 categories have been assigned: id -Z user_u:system_r:unconfined_t:s0 Expected result of id -Z as user:1 would be: user_u:system_r:unconfined_t:s0:c3,c5,c7,c9,c11,c13,c15 Assigning six noncontiguous categories to a user works just fine: # semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13 user_1 <login as user_1> id -Z user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13 <logout of user_1> Steps to Reproduce: 1. As root, semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1 2. Login as user_1 3. id -Z Actual results: user_u:system_r:unconfined_t:s0 Expected results: user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13 Additional info: Unable to reproduce in Fedora 11
semanage user -l | grep user_u user_u user s0 s0 user_r You can not have more categories that the SELinux user. If you want to have a user_u with these categories, you first need to change the user record semanage user -m -r s0-s0:c0.c1023 user_u Then your semanage login should work