On Mon, Nov 24, 2014 at 12:26 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote: >> Now, I tried to remove the "object_r" role from one of my test VMs but >> that totally screwed up the image (system froze, and reboot failed). >> I'm not sure if I'm allowed to remove it or not now. If I should, I'll >> investigate it further and see if I can get denials or other >> information from it. > > object_r should be associated with all security identitiers i believe (including selinux user identities) > > What you are seeing is expected, and you should not try to remove it The downside is that with the 2.3 utilities, mentioning "object_r" fails: ~# semanage user -m -R "object_r sysadm_r system_r" root ValueError: object_r must be an SELinux role: Valid roles: staff_r, sysadm_r, system_r, unconfined_r, user_r But with 2.4, not mentioning "object_r" while manipulating the user definition results in the failure. That makes it confusing for administrators that need to manage SELinux systems where one set uses 2.3 userspace and another uses 2.4. Especially those that use configuration management utilities like salt or puppet, as those will now need to add in logic to find out if "object_r" is already in the list or not and update accordingly. Wkr, Sven Vermeulen _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
