salam Apprentice
Joined: 29 Sep 2005 Posts: 221
|
Posted: Mon Nov 12, 2018 8:23 pm Post subject: SELINUX - Context would be invalid if enforcing |
|
|
I'm in some progress in learning SELINUX and today I found this kind of problem(using strict policy, currently permissive, kernel 4.19.0):
Logins map:
Code: | Login Name SELinux User
__default__ user_u
root root |
SEusers map:
Code: | SELinux User SELinux Roles
root staff_r sysadm_r
staff_u staff_r sysadm_r
sysadm_u sysadm_r
system_u system_r
unconfined_u unconfined_r
user_u user_r
|
I added staff_r role to user_u (semanage user -m -R "user_r staff_r" user_u), then did some tests on the user with newrole, checking AVCs (no other modifications to the system were done).
Next, I removed the staff_r role (semanage user -m -R "user_r" user_u)
Since then, a lot of SElinux actions (like loading/unloading a module), bring this to dmesg:
Code: | SELinux: Context user_u:staff_r:postfix_postqueue_t would be invalid if enforcing
SELinux: Context user_u:staff_r:newrole_t would be invalid if enforcing
SELinux: Context user_u:staff_r:spamassassin_t would be invalid if enforcing
SELinux: Context user_u:staff_r:spamc_t would be invalid if enforcing
SELinux: Context user_u:staff_r:ssh_t would be invalid if enforcing
SELinux: Context user_u:staff_r:staff_t would be invalid if enforcing
SELinux: Context user_u:staff_r:staff_ssh_agent_t would be invalid if enforcing
SELinux: Context user_u:staff_r:staff_sudo_t would be invalid if enforcing
SELinux: Context user_u:staff_r:staff_screen_t would be invalid if enforcing
SELinux: Context user_u:staff_r:staff_su_t would be invalid if enforcing
SELinux: Context user_u:staff_r:sysadm_screen_t would be invalid if enforcing
SELinux: Context user_u:staff_r:user_screen_t would be invalid if enforcing
SELinux: Context user_u:staff_r:chfn_t would be invalid if enforcing
SELinux: Context user_u:staff_r:passwd_t would be invalid if enforcing
SELinux: Context user_u:staff_r:httpd_user_script_t would be invalid if enforcing
SELinux: Context user_u:staff_r:at_t would be invalid if enforcing
SELinux: Context user_u:staff_r:chkpwd_t would be invalid if enforcing
SELinux: Context user_u:staff_r:pam_t would be invalid if enforcing
SELinux: Context user_u:staff_r:updpwd_t would be invalid if enforcing
SELinux: Context user_u:staff_r:utempter_t would be invalid if enforcing
SELinux: Context user_u:staff_r:cronjob_t would be invalid if enforcing
SELinux: Context user_u:staff_r:crontab_t would be invalid if enforcing
SELinux: Context user_u:staff_r:dirmngr_t would be invalid if enforcing
SELinux: Context user_u:staff_r:gpg_t would be invalid if enforcing
SELinux: Context user_u:staff_r:gpg_agent_t would be invalid if enforcing
SELinux: Context user_u:staff_r:gpg_helper_t would be invalid if enforcing
SELinux: Context user_u:staff_r:gpg_pinentry_t would be invalid if enforcing
SELinux: Context user_u:staff_r:irc_t would be invalid if enforcing
SELinux: Context user_u:staff_r:user_mail_t would be invalid if enforcing
SELinux: Context user_u:staff_r:ping_t would be invalid if enforcing
SELinux: Context user_u:staff_r:traceroute_t would be invalid if enforcing
SELinux: Context user_u:staff_r:nscd_t would be invalid if enforcing
SELinux: Context user_u:staff_r:postfix_postdrop_t would be invalid if enforcing
|
These messages were not present before I added/removed the role from user. It is clear that with staff_r removed, context should not be allowed, but why is this reported to the log if I only reverted the setting back? I even tried to remove user_r, leaving only staff_r and then I get same errors, except with user_r role. So it looks, something is set when adding role and not cleaned after removing it. All user processes were ended and user logged in again, no change. Any ideas what needs to be updated? |
|