Hi Stephen,
After enabling the unconfined module and after reboot also, Still showing the same id context.
Is there any way to make the id context to normal state again ?
Thanks
Aman
On Wed, Nov 29, 2017 at 9:32 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote:
> Hi Stephen,
>
Hmmm...someone disabled the unconfined module on your system?> The output of semanage export is :
>
> cat localchanges
> boolean -D
> login -D
> interface -D
> user -D
> port -D
> node -D
> fcontext -D
> module -D
> boolean -m -1 domain_kernel_load_modules
> boolean -m -1 selinuxuser_ping
> boolean -m -1 ssh_sysadm_login
> boolean -m -1 tomcat_can_network_non_http_port
> port -a -t tomcat_shutdown_port_t -p tcp 8005
> port -a -t ils_port_t -p tcp 8006
> port -a -t clm_port_t -p tcp 8500
> port -a -t clm_port_t -p udp 8500
> port -a -t snmp_port_t -p udp 61441
> fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?'
> fcontext -a -f a -t db_t '/home/informix(/.*)?'
> fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?'
> fcontext -a -f a -t tomcat_exec_t
> '/root/.security/tomcat/tomcat_diagnostics.sh'
> module -d unconfined
So if you want to go back to using unconfined, you ought to re-enable
that, ala semodule -e unconfined. It looks like someone locked down
that system and was trying to effectively apply a "strict" policy, but
it was left in a broken state.
>
>
> On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > I tried all the three command i.e.
> > > semanage export > localchanges
> > >
> > > semanage login -D
> > > semanage user -D
> > >
> > > Then I reboot the system and after reboot , still its showing the
> > > root User as Same id context i.e.
> > >
> > > id
> > > uid=0(root) gid=0(root) groups=0(root)
> > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > id -Z
> > > system_u:system_r:unconfined_t:s0-s0:c0.c1023
> >
> > That's interesting. So what else does semanage export show now as
> > local changes?
> >
> > > Also check the below output :
> > > semanage user -l
> > >
> > > Labeling MLS/ MLS/
> >
> > > SELinux User Prefix MCS Level MCS Range
> >
> > > SELinux Roles
> > >
> > > guest_u user s0 s0
> >
> > > guest_r
> > > root user s0 s0-s0:c0.c1023
> >
> > > staff_r sysadm_r system_r unconfined_r
> > > staff_u user s0 s0-s0:c0.c1023
> >
> > > staff_r sysadm_r system_r unconfined_r
> > > sysadm_u user s0 s0-s0:c0.c1023
> >
> > > sysadm_r
> > > system_u user s0 s0-s0:c0.c1023
> >
> > > system_r unconfined_r
> > > unconfined_u user s0 s0-s0:c0.c1023
> >
> > > system_r unconfined_r
> > > user_u user s0 s0
> >
> > > user_r
> > > xguest_u user s0 s0
> >
> > > xguest_r
> > > [root@cucm ~]# semanage login -l
> > >
> > > Login Name SELinux User MLS/MCS Range
> > > Service
> > >
> > > __default__ unconfined_u s0-s0:c0.c1023 *
> > > root unconfined_u s0-s0:c0.c1023 *
> > > system_u system_u s0-s0:c0.c1023 *
> > >
> > > Please let me know your comments on this.
> > >
> > > Thanks
> > > Aman
> >
>
>
>
> --
>
> Thanks
> Aman
> Cell: +91 9990296404 | Email ID : amansh.sharma5@xxxxxxxxx
