danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Suddenly lots of AVC's in Rawhide.
danwalsh
I have tried to encourage people to run SELinux with a more tightly run system,  You can remove the unconifned module, and run almost all of your system as unconfined,  And you can remove the unconfineduser module if you want to confine all of your users.  But in order to have this work for many people, I have to see/fix whatever AVC's would happen with the packages removed.

Temporarily in Rawhide I have changed the unconfined_domain() interface to set permissive rather then unconfined.  This means that the "uncoonfined" domains will still be able to do everything they could before, but they will generate AVC's.  

How do you tell if they are a permissive domain, you can look at the avc SYSCALL record and if it has "success=yes"  you have a pretty good idea this is a permissive domain.  When the kernel says "success=yes" that means it did not block anything.

setroubleshoot should also point this out.

You can also see the list of permissive domains using seinfo --permissive


 seinfo --permissive

Permissive Types: 50
   bootloader_t
   devicekit_power_t
   ModemManager_t
   ldconfig_t
   smoltclient_t
   unconfined_cronjob_t
   kdumpgui_t
   sandbox_xserver_t
   setfiles_mac_t
   initrc_t
   ada_t
   fsadm_t
   kudzu_t
   lvm_t
   mdadm_t
   mono_t
   wine_t
   setroubleshoot_fixit_t
   gconfdefaultsm_t
   gnomesystemmm_t
   prelink_t
   anaconda_t
   system_cronjob_t
   tmpreaper_t
   samba_unconfined_net_t
   devicekit_disk_t
   firstboot_t
   samba_unconfined_script_t
   httpd_unconfined_script_t
   depmod_t
   insmod_t
   apmd_t
   clvmd_t
   crond_t
   inetd_t
   init_t
   kdump_t
   udev_t
   virtd_t
   xend_t
   rtkit_daemon_t
   devicekit_t
   remote_login_t
   inetd_child_t
   unconfined_t
   hddtemp_t
   ricci_modcluster_t
   ptchown_t
   useradd_t
   xserver_t

As we get closer to release I will change the domains back to unconfined and remove most of the permissive flags.

Thanks for your patients and keep send in the bug reports.

You are viewing danwalsh