Re: semanage: is __default__ login map required?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/03/2017 03:32 PM, Stephen Smalley wrote:

On Wed, 2017-05-03 at 15:14 -0400, Stephen Smalley wrote:

On Wed, 2017-05-03 at 13:36 -0400, Arnold, Paul C CTR USARMY PEO STRI
(US) wrote:

I have been having problems mapping logins since removing
__default__
from the policy.  Is the __default__ login map required in order
for
semanage to set a new mapping?

The error, specifically:

$ sudo semanage login -a -s existing_u existing_login
libsemanage.dbase_llist_query: could not query record value
semanage: Could not query user for existing_login


Policy is based upon refpolicy, but all utils are RHEL6 dist.

Not sure what is in RHEL6, but upstream it looks like the code tries
to
look up the old login/user information before making the change so
that
  it can audit the old and new values.  Probably ought to be handling
an
exception there and recovering cleanly.

Caution-https://github.com/SELinuxProject/selinux/blob/master/python/semanage
/seobject.py#L537

Caution-https://github.com/SELinuxProject/selinux/commit/a0e538c208e5af07fecb
8c045e6341397d0df44a

That said, maybe the first question is why do you want to remove the
__default__ mapping.  Not sure that is even supported via semanage
login -d, and you're likely to end up having it get regenerated
automatically on any subsequent semodule/semanage commands even if you
manually remove it (unless you removed it from the source policy before
building in the first place).

Just set it to the most restrictive values possible, like user_u, s0 or
guest_u, s0.
Thanks Stephen. As for why, this is for a high assurance solution for which I do not make the requirements.
__default__ is removed from source policy. I don't think semanage can remove logins defined in base policy, and I wouldn't want to due to regeneration concerns you already mentioned.
Thank you for the commit reference; that makes it much clearer for me. I'll do some testing, perhaps just write another python script to add new mappings if I absolutely cannot have __default__ defined. 



Regards,

--
Paul Arnold, CISSP
Cole Engineering Services, Inc.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux