I have tried to encourage people to run SELinux with a more tightly run system, You can remove the unconifned module, and run almost all of your system as unconfined, And you can remove the unconfineduser module if you want to confine all of your users. But in order to have this work for many people, I have to see/fix whatever AVC's would happen with the packages removed.
Temporarily in Rawhide I have changed the unconfined_domain() interface to set permissive rather then unconfined. This means that the "uncoonfined" domains will still be able to do everything they could before, but they will generate AVC's.
How do you tell if they are a permissive domain, you can look at the avc SYSCALL record and if it has "success=yes" you have a pretty good idea this is a permissive domain. When the kernel says "success=yes" that means it did not block anything.
setroubleshoot should also point this out.
You can also see the list of permissive domains using seinfo --permissive
seinfo --permissive
Permissive Types: 50
bootloader_t
devicekit_power_t
ModemManager_t
ldconfig_t
smoltclient_t
unconfined_cronjob_t
kdumpgui_t
sandbox_xserver_t
setfiles_mac_t
initrc_t
ada_t
fsadm_t
kudzu_t
lvm_t
mdadm_t
mono_t
wine_t
setroubleshoot_fixit_t
gconfdefaultsm_t
gnomesystemmm_t
prelink_t
anaconda_t
system_cronjob_t
tmpreaper_t
samba_unconfined_net_t
devicekit_disk_t
firstboot_t
samba_unconfined_script_t
httpd_unconfined_script_t
depmod_t
insmod_t
apmd_t
clvmd_t
crond_t
inetd_t
init_t
kdump_t
udev_t
virtd_t
xend_t
rtkit_daemon_t
devicekit_t
remote_login_t
inetd_child_t
unconfined_t
hddtemp_t
ricci_modcluster_t
ptchown_t
useradd_t
xserver_t
As we get closer to release I will change the domains back to unconfined and remove most of the permissive flags.
Thanks for your patients and keep send in the bug reports.
