> On May 3, 2017, at 3:47 PM, Arnold, Paul C CTR USARMY PEO STRI (US) <paul.c.arnold4.ctr@xxxxxxxx> wrote: > >> On 05/03/2017 03:32 PM, Stephen Smalley wrote: >>> On Wed, 2017-05-03 at 15:14 -0400, Stephen Smalley wrote: >>> On Wed, 2017-05-03 at 13:36 -0400, Arnold, Paul C CTR USARMY PEO STRI >>> (US) wrote: >>>> I have been having problems mapping logins since removing >>>> __default__ >>>> from the policy. Is the __default__ login map required in order >>>> for >>>> semanage to set a new mapping? >>>> >>>> The error, specifically: >>>> >>>> $ sudo semanage login -a -s existing_u existing_login >>>> libsemanage.dbase_llist_query: could not query record value >>>> semanage: Could not query user for existing_login >>>> >>>> >>>> Policy is based upon refpolicy, but all utils are RHEL6 dist. >>> Not sure what is in RHEL6, but upstream it looks like the code tries >>> to >>> look up the old login/user information before making the change so >>> that >>> it can audit the old and new values. Probably ought to be handling >>> an >>> exception there and recovering cleanly. >>> >>> Caution-https://github.com/SELinuxProject/selinux/blob/master/python/semanage >>> /seobject.py#L537 >>> >>> Caution-https://github.com/SELinuxProject/selinux/commit/a0e538c208e5af07fecb >>> 8c045e6341397d0df44a >> That said, maybe the first question is why do you want to remove the >> __default__ mapping. Not sure that is even supported via semanage >> login -d, and you're likely to end up having it get regenerated >> automatically on any subsequent semodule/semanage commands even if you >> manually remove it (unless you removed it from the source policy before >> building in the first place). >> >> Just set it to the most restrictive values possible, like user_u, s0 or >> guest_u, s0. >> > > Thanks Stephen. As for why, this is for a high assurance solution for which I do not make the requirements. > Many high assurance systems I've built or reviewed simply map default to a user domain with no privileges. It's quite likely that this is for systems with requirements similar to what you are dealing with. If you want to send me a private email I can likely give you some more helpful details. Karl > > __default__ is removed from source policy. I don't think semanage can remove logins defined in base policy, and I wouldn't want to due to regeneration concerns you already mentioned. > > Thank you for the commit reference; that makes it much clearer for me. I'll do some testing, perhaps just write another python script to add new mappings if I absolutely cannot have __default__ defined. > > > > Regards, > > -- > Paul Arnold, CISSP > Cole Engineering Services, Inc. > >
