[DSE-User] Can't change SeLinux login

[Éric Deschamps]

Hello,

Using SELinux on a fresh-installed Wheezy server, I encounter several
problems:


I'd like to put my user in unconfined_u login, but it does not work:

# semanage login -m -s "unconfined_u" erdesc
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/default/modules/active to
/etc/selinux/default/modules/previous. (Permission denied).
/usr/sbin/semanage: Could not commit semanage transaction

But I'm actually using the root account with unconfined_u:
# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh

So bad, still as root, I try to go into permissive mode to help debug,
but I can't:
# setenforce 0
setenforce:  setenforce() failed


/var/log/syslog does'nt help me much:
Sep 13 10:11:48 myhost semanage: Successful:  modify selinux user
mapping name=erdesc sename=unconfined_u old_sename=staff_u MLSRange=s0
old_MLSRange=s0
Sep 13 10:11:49 myhost semanage: Failed:  modify selinux user mapping
name=erdesc sename=unconfined_u

Neither does /var/log/audit.log:
ype=AVC msg=audit(1379059921.724:7826280): avc:  denied  { getattr } for
 pid=52575 comm="unix_chkpwd" name="/" dev="sysfs" ino=1
scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem

Is it a MCS Category related problem or another labelling error?
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      26

I can't find the sealert tool to help debug this.

Any help very welcome :)

Regards,

Éric