fix: include role.cil, context file, and semanage in make install#1
Open
Amy-Ra-lph wants to merge 2 commits into
Open
fix: include role.cil, context file, and semanage in make install#1Amy-Ra-lph wants to merge 2 commits into
Amy-Ra-lph wants to merge 2 commits into
Conversation
- Add blastwall-role.cil to ALL_CIL — without it, semodule fails with "Failed to resolve roleattributeset" - Install contexts/blastwall_u to /etc/selinux/targeted/contexts/users/ during make install — without it, pam_selinux silently falls back to staff_t and no kernel deny scopes are enforced - Register blastwall_u via semanage user during install — without it, SSSD selinux_child crashes with exit status 1 on login - Clean up user and context file on uninstall Tested on RHEL 10.0 (kernel 6.12.0, SELinux targeted). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 tasks
Change the semanage user registration from the full MCS range (s0-s0:c0.c1023) to just s0, matching Greg's tighter confinement approach. The semanage user range sets the ceiling — what categories the user CAN access. The actual range applied at login comes from the IPA SELinux user map string. If the IPA map specifies a wider range than semanage allows, SSSD's selinux_child rejects it. Default s0 is correct for most deployments. Deployers who need per-agent MCS category isolation can override: make install SELINUX_MCS="s0-s0:c0.c1023" Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Author
|
Good catch on the MCS range — updated to default to The So the relationship is:
Default We had used the full range in our PoC because our IPA maps specified it — but that was our config choice, not a requirement. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
blastwall-role.ciltoALL_CIL— without it,semodule -ifails with "Failed to resolve roleattributeset"contexts/blastwall_uto/etc/selinux/targeted/contexts/users/— without it,pam_selinuxsilently falls back tostaff_tand no kernel deny scopes are enforcedblastwall_uviasemanage userduring install — without it, SSSDselinux_childcrashes with exit status 1 on loginmake uninstallContext
Found while deploying Blastwall on a 3-node RHEL 10 Beaker lab for an AI agent confinement PoC. The policy design is excellent — all 7 deny scopes work correctly and survive sudo. These are deployment ordering issues, not design problems.
The silent fallback to
staff_t(issue #2) is the most dangerous because there's no error, no log entry — everything appears to work but confinement is absent.Test plan
make installsucceeds without manualsemodule -i blastwall-role.cilid -Zafter SSH login showsblastwall_u:blastwall_r:blastwall_t:s0(notstaff_t)semanage user -l | grep blastwall_ushows the user registeredls /etc/selinux/targeted/contexts/users/blastwall_uexistsmake uninstallcleans up user, context file, and all modulesTested on RHEL 10.0 (Coughlan), kernel 6.12.0-55.76.1.el10_0.x86_64.