From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 19 Nov 2016 11:15:43 -0500
Subject: [refpolicy] system_u LOGIN
In-Reply-To: <1512107.VaBRCM8Axm@russell.coker.com.au>
References: <1512107.VaBRCM8Axm@russell.coker.com.au>
Message-ID: <04a9aa79-d127-37e0-d063-0e10f9a1e06d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/17/16 19:57, Russell Coker via refpolicy wrote:
> In config/appconfig-mcs/seusers we have the following line:
>
> system_u:system_u:s0-mcs_systemhigh
>
> With recent versions of the userspace the Makefile that is included in the
> reference policy for building user modules gives the following error on load:
[...]
>
> Has the LOGIN of system_u ever done any good?  It seems to do nothing and as
> it is now giving errors I think we should remove it.

There's been some discussion about it, and it's usefulness seems to have 
passed.  Unless someone can cite a need for keeping it, I'm open to 
removing it.


> Also since 2012 in Debian we have had the following patch from
> debian at mikapflueger.de.  This might be a good thing to have upstream.
>
> diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
> index dc5f1e4..62aba7d 100644
> --- a/config/appconfig-mcs/seusers
> +++ b/config/appconfig-mcs/seusers
> @@ -1,3 +1,3 @@
>  system_u:system_u:s0-mcs_systemhigh
> -root:root:s0-mcs_systemhigh
> -__default__:user_u:s0
> +root:unconfined_u:s0-mcs_systemhigh
> +__default__:unconfined_u:s0-mcs_systemhigh

My preference is to keep the default of confined users.

-- 
Chris PeBenito