Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SELINUX - Context would be invalid if enforcing
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
salam
Apprentice
Apprentice


Joined: 29 Sep 2005
Posts: 203

PostPosted: Mon Nov 12, 2018 8:23 pm    Post subject: SELINUX - Context would be invalid if enforcing Reply with quote

I'm in some progress in learning SELINUX and today I found this kind of problem(using strict policy, currently permissive, kernel 4.19.0):

Logins map:
Code:
Login Name                SELinux User             

__default__               user_u                   
root                      root


SEusers map:
Code:
SELinux User    SELinux Roles

root            staff_r sysadm_r
staff_u         staff_r sysadm_r
sysadm_u        sysadm_r
system_u        system_r
unconfined_u    unconfined_r
user_u          user_r


I added staff_r role to user_u (semanage user -m -R "user_r staff_r" user_u), then did some tests on the user with newrole, checking AVCs (no other modifications to the system were done).
Next, I removed the staff_r role (semanage user -m -R "user_r" user_u)

Since then, a lot of SElinux actions (like loading/unloading a module), bring this to dmesg:
Code:
SELinux:  Context user_u:staff_r:postfix_postqueue_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:newrole_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:spamassassin_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:spamc_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:ssh_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:staff_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:staff_ssh_agent_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:staff_sudo_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:staff_screen_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:staff_su_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:sysadm_screen_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:user_screen_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:chfn_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:passwd_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:httpd_user_script_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:at_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:chkpwd_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:pam_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:updpwd_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:utempter_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:cronjob_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:crontab_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:dirmngr_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:gpg_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:gpg_agent_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:gpg_helper_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:gpg_pinentry_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:irc_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:user_mail_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:ping_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:traceroute_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:nscd_t would be invalid if enforcing
SELinux:  Context user_u:staff_r:postfix_postdrop_t would be invalid if enforcing


These messages were not present before I added/removed the role from user. It is clear that with staff_r removed, context should not be allowed, but why is this reported to the log if I only reverted the setting back? I even tried to remove user_r, leaving only staff_r and then I get same errors, except with user_r role. So it looks, something is set when adding role and not cleaned after removing it. All user processes were ended and user logged in again, no change. Any ideas what needs to be updated?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum