2016-11-18 00:57:05

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] system_u LOGIN

In config/appconfig-mcs/seusers we have the following line:

system_u:system_u:s0-mcs_systemhigh

With recent versions of the userspace the Makefile that is included in the
reference policy for building user modules gives the following error on load:

# make load
Compiling default local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to tmp/
local.mod
Creating default local.pp policy package
Loading default modules: local
libsemanage.add_user: user system_u not in password file
rm tmp/local.mod.fc tmp/local.mod

Has the LOGIN of system_u ever done any good? It seems to do nothing and as
it is now giving errors I think we should remove it.

Also since 2012 in Debian we have had the following patch from
debian at mikapflueger.de. This might be a good thing to have upstream.

diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
index dc5f1e4..62aba7d 100644
--- a/config/appconfig-mcs/seusers
+++ b/config/appconfig-mcs/seusers
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


2016-11-18 13:28:14

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] system_u LOGIN

The warning message 'libsemanage.add_user: user system_u not in
password file' seems to be related to the recent changes to
genhomedircon, see https://bugzilla.redhat.com/show_bug.cgi?id=1378204
It can be fixed as shown in the bugreport or like i did
https://github.com/cgzones/debian-package-refpolicy/blob/debian/debian/patches/0043-fix-libsemanage.add_user-user-system_u-not-in-passwo.patch

About the seusers change: I dislike that, cause i think the refpolicy
should use confined users by default.

2016-11-18 1:57 GMT+01:00 Russell Coker via refpolicy
<[email protected]>:
> In config/appconfig-mcs/seusers we have the following line:
>
> system_u:system_u:s0-mcs_systemhigh
>
> With recent versions of the userspace the Makefile that is included in the
> reference policy for building user modules gives the following error on load:
>
> # make load
> Compiling default local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 17) to tmp/
> local.mod
> Creating default local.pp policy package
> Loading default modules: local
> libsemanage.add_user: user system_u not in password file
> rm tmp/local.mod.fc tmp/local.mod
>
> Has the LOGIN of system_u ever done any good? It seems to do nothing and as
> it is now giving errors I think we should remove it.
>
> Also since 2012 in Debian we have had the following patch from
> debian at mikapflueger.de. This might be a good thing to have upstream.
>
> diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
> index dc5f1e4..62aba7d 100644
> --- a/config/appconfig-mcs/seusers
> +++ b/config/appconfig-mcs/seusers
> @@ -1,3 +1,3 @@
> system_u:system_u:s0-mcs_systemhigh
> -root:root:s0-mcs_systemhigh
> -__default__:user_u:s0
> +root:unconfined_u:s0-mcs_systemhigh
> +__default__:unconfined_u:s0-mcs_systemhigh
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2016-11-19 16:15:43

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] system_u LOGIN

On 11/17/16 19:57, Russell Coker via refpolicy wrote:
> In config/appconfig-mcs/seusers we have the following line:
>
> system_u:system_u:s0-mcs_systemhigh
>
> With recent versions of the userspace the Makefile that is included in the
> reference policy for building user modules gives the following error on load:
[...]
>
> Has the LOGIN of system_u ever done any good? It seems to do nothing and as
> it is now giving errors I think we should remove it.

There's been some discussion about it, and it's usefulness seems to have
passed. Unless someone can cite a need for keeping it, I'm open to
removing it.


> Also since 2012 in Debian we have had the following patch from
> debian at mikapflueger.de. This might be a good thing to have upstream.
>
> diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
> index dc5f1e4..62aba7d 100644
> --- a/config/appconfig-mcs/seusers
> +++ b/config/appconfig-mcs/seusers
> @@ -1,3 +1,3 @@
> system_u:system_u:s0-mcs_systemhigh
> -root:root:s0-mcs_systemhigh
> -__default__:user_u:s0
> +root:unconfined_u:s0-mcs_systemhigh
> +__default__:unconfined_u:s0-mcs_systemhigh

My preference is to keep the default of confined users.

--
Chris PeBenito