Ask Your Question

How can I change default-setting 'policy deny_unknown status' to deny on Fedora-20

asked 2014-02-03 07:44:07 -0600

halifax gravatar image

updated 2014-09-12 23:00:33 -0600

mether gravatar image

handle-unknown=deny in /etc/selinux/semanage.conf results in following problem:

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2014-02-04 06:28:55 -0600

domg gravatar image

updated 2014-02-04 08:38:07 -0600

If handle-unknown=deny causes issues then comment it out or set it to allow, and rebuild with semodule -B

This is non-sense: You would need to rebuild the selinux-policy package and set it to deny in policy.conf (e.g. it is a build-time option, not a run-time option)

demonstration on youtube

edit flag offensive delete link more


Oh, shift... You are right, and on top of that it seems you actually gotten "handle-unknown=deny" to work judging from the information you provided in the URL above. (i did not know that this would work as well)

Now i am really confused about the context of your question...

Nonetheless, If setting "handle-unknown=deny" causes this issue, then just set it to "handle-unknown=allow" instead or comment it out and rebuild with semodule -B

It might be related to a bug in systemd with regard to SELinux

domg gravatar imagedomg ( 2014-02-04 07:13:51 -0600 )edit

Yes, in one of his posts he shows that he managed to set deny_unknown to denied so i assume that handle-unknown=deny worked afterall (see his latter sestatus paste)

domg gravatar imagedomg ( 2014-02-04 12:29:38 -0600 )edit

Yes i was able to reproduce his issue

changing handle-unknown=deny to handle-unknown=allow, or removing that line altogether from /etc/selinux/semanage.conf, and then running semodule -B fixes the issue

you might want to reboot after that though because systemd logind might be confused

its a selinux related bug in systemd

domg gravatar imagedomg ( 2014-02-04 16:36:27 -0600 )edit

yea, but he wants to have handle-unknown=deny specifically; just to configure gdm to allow login with that policy change.

ILMostro gravatar imageILMostro ( 2014-02-04 16:47:05 -0600 )edit

That is currently impossible as long as the systemd issue is not fixed. ( at least my educated guess is that it is a bug in systemd)

The people responsible are aware of that issue

domg gravatar imagedomg ( 2014-02-04 16:51:06 -0600 )edit

answered 2014-02-03 16:58:01 -0600

updated 2014-02-03 17:22:29 -0600

According to the SELinux wiki, the default is already set at handle-unknown=deny. Also, it says

Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).

Furthermore, take a look at the section about /etc/security/sepermit.conf; it seems that the /etc/pam.d/gdm file should be configured by changing the sepermit.conf file--since the sepermit.conf file is being read by the files in /etc/pam.d/ directory during login.

edit flag offensive delete link more



The upstream default is to deny yes, but Fedora changed it (so do some other distro's)

By the way this has nothing to do with sepermit.

The allow_unknown option enables you to specify whether SELinux allows or denies unknown Access Vector permissions.

So for example if the (SE) Linux object manager implements a new permission and the policy is not yet aware of that permissions then it will be allowed/denied depending on what you specify with allow_unknown=

domg gravatar imagedomg ( 2014-02-04 06:32:32 -0600 )edit

I figured something like that, after researching more; but I hadn't come across a definitive article saying so. So, you don't think the OPer can change it in the current policy? Can you provide a succinct description of how to rebuild the selinux-policy?

ILMostro gravatar imageILMostro ( 2014-02-04 06:36:23 -0600 )edit

I could create a screen cast on youtube that demonstrates this yes. Not sure if anyone would take time to watch it though. I suspect that OP probably misunderstood this option because it's not that significant

Anyways sure i will create a demo on youtube just for shits and giggles

domg gravatar imagedomg ( 2014-02-04 06:44:37 -0600 )edit

in the posted forum-thread link, a comment states that the user is able to login with lxdm and lightdm, but not with gdm; that was my rationale behind the sepermit.conf file.

ILMostro gravatar imageILMostro ( 2014-02-04 06:47:39 -0600 )edit

done, its processing

Oh, right i did not look at that URL. That could be sepermit related yes.

domg gravatar imagedomg ( 2014-02-04 07:09:22 -0600 )edit

Question Tools


Asked: 2014-02-03 07:44:07 -0600

Seen: 1,459 times

Last updated: Feb 04 '14