Configuration of MCS/MLS of SELinux

MaryGoes · Post by **MaryGoes** » 2011/04/01 10:07:10

Hi all.

I have problems on selinux configuration.

What shold I do to change MCS/MLS range of users and "login" from s0-s0:c0 to s0-s0:c0.c1023("SystemLow-SystemHigh")
with "semanage".
My SELinux is with "tergeted" policy.

The Condition is below.

[root@localhost ~]# semanage user -l

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles

root user s0 s0:c0,c3 system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
[root@localhost ~]# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ user_u s0
root root s0:c0
[root@localhost ~]# semanage user -m -r s0-s0:c0.c1023 root
libsemanage.validate_handler: MLS range s0:c0 for Unix user root exceeds allowed range s0:c0,c3 for SELinux user root
libsemanage.validate_handler: seuser mapping [root -> (root, s0:c0)] is invalid
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not modify SELinux user root
[root@localhost ~]# semanage login -m -r s0-s0:c0.c1023 root
libsemanage.validate_handler: MLS range s0-s0:c0.c1023 for Unix user root exceeds allowed range s0:c0,c3 for SELinux user root
libsemanage.validate_handler: seuser mapping [root -> (root, s0-s0:c0.c1023)] is invalid
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not modify login mapping for root
[root@localhost ~]#