From 4fd49f74363ebf3b8a12ce736cb84cb5fa1d20c0 Mon Sep 17 00:00:00 2001 From: Amy-Ra-lph Date: Mon, 1 Jun 2026 13:08:34 -0400 Subject: [PATCH 1/2] fix: include role.cil and context file in make install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add blastwall-role.cil to ALL_CIL — without it, semodule fails with "Failed to resolve roleattributeset" - Install contexts/blastwall_u to /etc/selinux/targeted/contexts/users/ during make install — without it, pam_selinux silently falls back to staff_t and no kernel deny scopes are enforced - Register blastwall_u via semanage user during install — without it, SSSD selinux_child crashes with exit status 1 on login - Clean up user and context file on uninstall Tested on RHEL 10.0 (kernel 6.12.0, SELinux targeted). Co-Authored-By: Claude Opus 4.6 --- policy/Makefile | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/policy/Makefile b/policy/Makefile index 9214baa..9987910 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -4,9 +4,12 @@ DENY_POLICIES := blastwall-alg-socket-deny blastwall-bpf-deny blastwall-policy-s VERSION := 0.5.2 SELINUX_DEVEL ?= /usr/share/selinux/devel +ROLE_CIL := blastwall-role.cil SUPPORT_CIL := $(addsuffix .cil,$(SUPPORT_POLICIES)) DENY_CIL := $(addsuffix .cil,$(DENY_POLICIES)) -ALL_CIL := $(SUPPORT_CIL) $(DENY_CIL) +ALL_CIL := $(ROLE_CIL) $(SUPPORT_CIL) $(DENY_CIL) +CONTEXT_FILE := contexts/blastwall_u +CONTEXT_DIR := /etc/selinux/targeted/contexts/users .PHONY: all clean install uninstall check @@ -22,11 +25,17 @@ check: install: $(POLICY).pp semodule -i $(POLICY).pp $(ALL_CIL) + install -m 0644 $(CONTEXT_FILE) $(CONTEXT_DIR)/blastwall_u + semanage user -a -R "blastwall_r" -r "s0-s0:c0.c1023" blastwall_u 2>/dev/null || \ + semanage user -m -R "blastwall_r" -r "s0-s0:c0.c1023" blastwall_u uninstall: @for p in $(DENY_POLICIES); do semodule -r $$p 2>/dev/null || true; done @for p in $(SUPPORT_POLICIES); do semodule -r $$p 2>/dev/null || true; done + -semodule -r blastwall-role -semodule -r $(POLICY) + -semanage user -d blastwall_u 2>/dev/null + -rm -f $(CONTEXT_DIR)/blastwall_u clean: rm -f *.pp *.mod *.fc.tmp From 3868a76e161a713fa0e9f87bc36a63a43da261ba Mon Sep 17 00:00:00 2001 From: Amy-Ra-lph Date: Mon, 1 Jun 2026 13:58:31 -0400 Subject: [PATCH 2/2] fix: use s0 as default MCS range, make it configurable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change the semanage user registration from the full MCS range (s0-s0:c0.c1023) to just s0, matching Greg's tighter confinement approach. The semanage user range sets the ceiling — what categories the user CAN access. The actual range applied at login comes from the IPA SELinux user map string. If the IPA map specifies a wider range than semanage allows, SSSD's selinux_child rejects it. Default s0 is correct for most deployments. Deployers who need per-agent MCS category isolation can override: make install SELINUX_MCS="s0-s0:c0.c1023" Co-Authored-By: Claude Opus 4.6 --- policy/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/Makefile b/policy/Makefile index 9987910..a6a86d0 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -10,6 +10,7 @@ DENY_CIL := $(addsuffix .cil,$(DENY_POLICIES)) ALL_CIL := $(ROLE_CIL) $(SUPPORT_CIL) $(DENY_CIL) CONTEXT_FILE := contexts/blastwall_u CONTEXT_DIR := /etc/selinux/targeted/contexts/users +SELINUX_MCS ?= s0 .PHONY: all clean install uninstall check @@ -26,8 +27,8 @@ check: install: $(POLICY).pp semodule -i $(POLICY).pp $(ALL_CIL) install -m 0644 $(CONTEXT_FILE) $(CONTEXT_DIR)/blastwall_u - semanage user -a -R "blastwall_r" -r "s0-s0:c0.c1023" blastwall_u 2>/dev/null || \ - semanage user -m -R "blastwall_r" -r "s0-s0:c0.c1023" blastwall_u + semanage user -a -R "blastwall_r" -r "$(SELINUX_MCS)" blastwall_u 2>/dev/null || \ + semanage user -m -R "blastwall_r" -r "$(SELINUX_MCS)" blastwall_u uninstall: @for p in $(DENY_POLICIES); do semodule -r $$p 2>/dev/null || true; done