From 16d66d09b22764f968fb321f5809bdfaf6b76cff Mon Sep 17 00:00:00 2001 From: Amy-Ra-lph Date: Mon, 1 Jun 2026 13:09:51 -0400 Subject: [PATCH] docs: add deployment ordering table to policy README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Document the critical install sequence and the silent staff_t fallback that occurs when the context file is missing. This is the most common deployment issue — everything appears to work but confinement is absent. Co-Authored-By: Claude Opus 4.6 --- policy/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/policy/README.md b/policy/README.md index b1b2252..8de27b4 100644 --- a/policy/README.md +++ b/policy/README.md @@ -10,6 +10,26 @@ complete the `pam_selinux` selected-context transition into `blastwall_t` so GSSAPI automation can enter the confined domain before the deny scopes are tested. +## Deployment ordering + +The install steps must happen in this order. Missing or reordering +causes silent fallback to `staff_t` or PAM login failures. + +| Step | Command | What breaks if skipped | +|------|---------|----------------------| +| 1. Install CIL modules | `cd policy && make install` | No `blastwall_t` domain | +| 2. Register SELinux user | `semanage user -a -R "blastwall_r" -r "s0-s0:c0.c1023" blastwall_u` | SSSD `selinux_child` crashes (error 4) | +| 3. Install context file | `cp policy/contexts/blastwall_u /etc/selinux/targeted/contexts/users/` | pam_selinux falls back to `staff_t` silently | +| 4. Create SELinux user map | (IPA/LDAP-specific — map users to `blastwall_u` on target hosts) | Users don't get the confined context | + +> **Warning:** Step 3 failure is the most dangerous — there is no error, +> no log entry, and no warning. Users log in successfully but run in +> `staff_t` with no kernel deny enforcement. Always verify with +> `id -Z` after first login. + +Steps 2 and 3 are handled automatically by `make install` if +[PR #1](https://github.com/gprocunier/blastwall/pull/1) is merged. + ## Optional blocks Some SELinux object classes are only present on newer kernels. For