I have tried to encourage people to run SELinux with a more tightly run system, You can remove the unconifned module, and run almost all of your system as unconfined, And you can remove the unconfineduser module if you want to confine all of your users. But in order to have this work for many people, I have to see/fix whatever AVC's would happen with the packages removed.
Temporarily in Rawhide I have changed the unconfined_domain() interface to set permissive rather then unconfined. This means that the "uncoonfined" domains will still be able to do everything they could before, but they will generate AVC's.
How do you tell if they are a permissive domain, you can look at the avc SYSCALL record and if it has "success=yes" you have a pretty good idea this is a permissive domain. When the kernel says "success=yes" that means it did not block anything.
setroubleshoot should also point this out.
You can also see the list of permissive domains using seinfo --permissive
Permissive Types: 50
As we get closer to release I will change the domains back to unconfined and remove most of the permissive flags.
Thanks for your patients and keep send in the bug reports.
Dan Walsh's Blog
- Suddenly lots of AVC's in Rawhide.