Hi Stephen, After enabling the unconfined module and after reboot also, Still showing the same id context.
Is there any way to make the id context to normal state again ? Thanks Aman On Wed, Nov 29, 2017 at 9:32 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Wed, 2017-11-29 at 21:26 +0530, Aman Sharma wrote: > > Hi Stephen, > > > > The output of semanage export is : > > > > cat localchanges > > boolean -D > > login -D > > interface -D > > user -D > > port -D > > node -D > > fcontext -D > > module -D > > boolean -m -1 domain_kernel_load_modules > > boolean -m -1 selinuxuser_ping > > boolean -m -1 ssh_sysadm_login > > boolean -m -1 tomcat_can_network_non_http_port > > port -a -t tomcat_shutdown_port_t -p tcp 8005 > > port -a -t ils_port_t -p tcp 8006 > > port -a -t clm_port_t -p tcp 8500 > > port -a -t clm_port_t -p udp 8500 > > port -a -t snmp_port_t -p udp 61441 > > fcontext -a -f a -t tomcat_t '/home/tomcat(/.*)?' > > fcontext -a -f a -t db_t '/home/informix(/.*)?' > > fcontext -a -f a -t ipsec_exec_t '/root/.security/ipsec(/.*)?' > > fcontext -a -f a -t tomcat_exec_t > > '/root/.security/tomcat/tomcat_diagnostics.sh' > > module -d unconfined > > Hmmm...someone disabled the unconfined module on your system? > So if you want to go back to using unconfined, you ought to re-enable > that, ala semodule -e unconfined. It looks like someone locked down > that system and was trying to effectively apply a "strict" policy, but > it was left in a broken state. > > > > > > > On Wed, Nov 29, 2017 at 9:10 PM, Stephen Smalley <s...@tycho.nsa.gov> > > wrote: > > > On Wed, 2017-11-29 at 20:47 +0530, Aman Sharma wrote: > > > > Hi Stephen, > > > > > > > > I tried all the three command i.e. > > > > semanage export > localchanges > > > > > > > > semanage login -D > > > > semanage user -D > > > > > > > > Then I reboot the system and after reboot , still its showing the > > > > root User as Same id context i.e. > > > > > > > > id > > > > uid=0(root) gid=0(root) groups=0(root) > > > > context=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > > > id -Z > > > > system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > > > That's interesting. So what else does semanage export show now as > > > local changes? > > > > > > > Also check the below output : > > > > semanage user -l > > > > > > > > Labeling MLS/ MLS/ > > > > > > > SELinux User Prefix MCS Level MCS Range > > > > > > > SELinux Roles > > > > > > > > guest_u user s0 s0 > > > > > > > guest_r > > > > root user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > staff_u user s0 s0-s0:c0.c1023 > > > > > > > staff_r sysadm_r system_r unconfined_r > > > > sysadm_u user s0 s0-s0:c0.c1023 > > > > > > > sysadm_r > > > > system_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > unconfined_u user s0 s0-s0:c0.c1023 > > > > > > > system_r unconfined_r > > > > user_u user s0 s0 > > > > > > > user_r > > > > xguest_u user s0 s0 > > > > > > > xguest_r > > > > [root@cucm ~]# semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS Range > > > > Service > > > > > > > > __default__ unconfined_u s0-s0:c0.c1023 * > > > > root unconfined_u s0-s0:c0.c1023 * > > > > system_u system_u s0-s0:c0.c1023 * > > > > > > > > Please let me know your comments on this. > > > > > > > > Thanks > > > > Aman > > > > > > > > > > > -- > > > > Thanks > > Aman > > Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com > -- Thanks Aman Cell: +91 9990296404 | Email ID : amansh.shar...@gmail.com