Ask Your Question
1

How can I change default-setting 'policy deny_unknown status' to deny on Fedora-20

asked 2014-02-03 07:44:07 -0600

halifax gravatar image

updated 2014-09-12 23:00:33 -0600

mether gravatar image

handle-unknown=deny in /etc/selinux/semanage.conf results in following problem:

http://forums.fedoraforum.org/showthread.php?t=297057

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2014-02-04 06:28:55 -0600

domg gravatar image

updated 2014-02-04 08:38:07 -0600

If handle-unknown=deny causes issues then comment it out or set it to allow, and rebuild with semodule -B

This is non-sense: You would need to rebuild the selinux-policy package and set it to deny in policy.conf (e.g. it is a build-time option, not a run-time option)

demonstration on youtube

edit flag offensive delete link more

Comments

Oh, shift... You are right, and on top of that it seems you actually gotten "handle-unknown=deny" to work judging from the information you provided in the URL above. (i did not know that this would work as well)

Now i am really confused about the context of your question...

Nonetheless, If setting "handle-unknown=deny" causes this issue, then just set it to "handle-unknown=allow" instead or comment it out and rebuild with semodule -B

It might be related to a bug in systemd with regard to SELinux

domg gravatar imagedomg ( 2014-02-04 07:13:51 -0600 )edit

Yes, in one of his posts he shows that he managed to set deny_unknown to denied so i assume that handle-unknown=deny worked afterall (see his latter sestatus paste)

domg gravatar imagedomg ( 2014-02-04 12:29:38 -0600 )edit

Yes i was able to reproduce his issue

changing handle-unknown=deny to handle-unknown=allow, or removing that line altogether from /etc/selinux/semanage.conf, and then running semodule -B fixes the issue

you might want to reboot after that though because systemd logind might be confused

its a selinux related bug in systemd

domg gravatar imagedomg ( 2014-02-04 16:36:27 -0600 )edit

yea, but he wants to have handle-unknown=deny specifically; just to configure gdm to allow login with that policy change.

ILMostro gravatar imageILMostro ( 2014-02-04 16:47:05 -0600 )edit

That is currently impossible as long as the systemd issue is not fixed. ( at least my educated guess is that it is a bug in systemd)

The people responsible are aware of that issue

domg gravatar imagedomg ( 2014-02-04 16:51:06 -0600 )edit
0

answered 2014-02-03 16:58:01 -0600

updated 2014-02-03 17:22:29 -0600

According to the SELinux wiki, the default is already set at handle-unknown=deny. Also, it says

Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).

Furthermore, take a look at the section about /etc/security/sepermit.conf; it seems that the /etc/pam.d/gdm file should be configured by changing the sepermit.conf file--since the sepermit.conf file is being read by the files in /etc/pam.d/ directory during login.

edit flag offensive delete link more

Comments

2

The upstream default is to deny yes, but Fedora changed it (so do some other distro's)

By the way this has nothing to do with sepermit.

The allow_unknown option enables you to specify whether SELinux allows or denies unknown Access Vector permissions.

So for example if the (SE) Linux object manager implements a new permission and the policy is not yet aware of that permissions then it will be allowed/denied depending on what you specify with allow_unknown=

domg gravatar imagedomg ( 2014-02-04 06:32:32 -0600 )edit

I figured something like that, after researching more; but I hadn't come across a definitive article saying so. So, you don't think the OPer can change it in the current policy? Can you provide a succinct description of how to rebuild the selinux-policy?

ILMostro gravatar imageILMostro ( 2014-02-04 06:36:23 -0600 )edit

I could create a screen cast on youtube that demonstrates this yes. Not sure if anyone would take time to watch it though. I suspect that OP probably misunderstood this option because it's not that significant

Anyways sure i will create a demo on youtube just for shits and giggles

domg gravatar imagedomg ( 2014-02-04 06:44:37 -0600 )edit

in the posted forum-thread link, a comment states that the user is able to login with lxdm and lightdm, but not with gdm; that was my rationale behind the sepermit.conf file.

ILMostro gravatar imageILMostro ( 2014-02-04 06:47:39 -0600 )edit

done, its processing

Oh, right i did not look at that URL. That could be sepermit related yes.

domg gravatar imagedomg ( 2014-02-04 07:09:22 -0600 )edit

Question Tools

Stats

Asked: 2014-02-03 07:44:07 -0600

Seen: 1,459 times

Last updated: Feb 04 '14