Hi Stephen,
I tried all the three command i.e.
semanage export > localchanges
semanage login -D
semanage user -D
semanage login -D
semanage user -D
Then I reboot the system and after reboot , still its showing the root User as Same id context i.e.
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
Also check the below output :
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root@cucm ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
Please let me know your comments on this.
Thanks
Aman
On Wed, Nov 29, 2017 at 8:17 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2017-11-29 at 20:11 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> Thanks for the reply.
>
> Can you please let me know how to delete all local customizations
> (via semanage or manually) and revert
> to a default policy.
First, save any local customizations in case you want to restore them
later:
semanage export > localchanges
Then, delete them:
semanage login -D
semanage user -D
Then logout and log back in.
>
> Otherwise the output of semanage login -l and semanage user -l :
>
> semanage user -l
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> admin_u user s0 s0-s0:c0.c1023
> sysadm_r system_r
> guest_u user s0 s0
> guest_r
> root user s0 s0-s0:c0.c1023
> staff_r sysadm_r
> specialuser_u user s0 s0
> sysadm_r system_r
> staff_u user s0 s0-s0:c0.c1023
> staff_r sysadm_r system_r
> sysadm_u user s0 s0-s0:c0.c1023
> sysadm_r
> system_u user s0 s0-s0:c0.c1023
> system_r
> unconfined_u user s0 s0-s0:c0.c1023
> system_r unconfined_r
> user_u user s0 s0
> user_r
> xguest_u user s0 s0
> xguest_r
>
>
> semanage login -l
>
> Login Name SELinux User MLS/MCS Range
> Service
>
> __default__ sysadm_u s0-s0:c0.c1023 *
> ccmservice specialuser_u s0 *
> cucm admin_u s0-s0:c0.c1023 *
> drfkeys specialuser_u s0 *
> drfuser specialuser_u s0 *
> informix specialuser_u s0 *
> pwrecovery specialuser_u s0 *
> root sysadm_u s0-s0:c0.c1023 *
> sftpuser specialuser_u s0 *
> system_u sysadm_u s0-s0:c0.c1023 *
>
> Please let me know if any comments are there.
>
> Thanks
> Aman
>
> On Wed, Nov 29, 2017 at 7:21 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> > On Wed, 2017-11-29 at 09:33 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > Below is the output of command :
> > >
> > > sestatus -v output
> > > SELinux status: enabled
> > > SELinuxfs mount: /sys/fs/selinux
> > > SELinux root directory: /etc/selinux
> > > Loaded policy name: targeted
> > > Current mode: enforcing
> > > Mode from config file: permissive
> > > Policy MLS status: enabled
> > > Policy deny_unknown status: allowed
> > > Max kernel policy version: 28
> > >
> > > Process contexts:
> > > Current context:
> > system_u:system_r:unconfined_t:s0-
> > > s0:c0.c1023
> > > Init context: system_u:system_r:init_t:s0
> > > /usr/sbin/sshd system_u:system_r:sshd_t:s0-
> > > s0:c0.c1023
> > >
> > > File contexts:
> > > Controlling terminal:
> > system_u:object_r:sshd_devpts_t:s0
> > > /etc/passwd
> > system_u:object_r:passwd_file_t:s0
> > > /etc/shadow system_u:object_r:shadow_t:s0
> > > /bin/bash system_u:object_r:shell_exec_t:s0
> > > /bin/login system_u:object_r:login_exec_t:s0
> > > /bin/sh system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:shell_exec_t:s0
> > > /sbin/agetty system_u:object_r:getty_exec_t:s0
> > > /sbin/init system_u:object_r:bin_t:s0 ->
> > > system_u:object_r:init_exec_t:s0
> > > /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
> > > /lib/libc.so.6 system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:lib_t:s0
> > > /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 ->
> > > system_u:object_r:ld_so_t:s0
> > >
> > > Also I am using ssh session for login.
> > >
> > > Please let me know how to change id command context to
> > unconfined_u
> > > or Sysadm_u.
> >
> > So from your earlier message, it is clear that you (or someone
> > else)
> > has heavily customized your semanage login and user mappings from
> > the
> > stock targeted policy. The question is why, and whether you
> > want/need
> > to retain any of those customizations. If not, then you could just
> > delete all local customizations (via semanage or manually) and
> > revert
> > to a stock policy.
> >
> > If you do need to retain some of those customizations, then please
> > show
> > your current semanage login -l and semanage user -l output since
> > you
> > said you ran some further semanage commands after the last output
> > you
> > showed.
> >
> >
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
