- We have unconfined_domain() system processes. initrc_t, init_t, kernel_t, ...
- We have unconfined_domain() user processes. unconfined_t,
- We have permissivedomains
semodule -d unconfined
You can disable the unconfined users by removing unconfined user mappings and then disabling unconfineduser.pp
# semanage login -m -a staff_u __default__
# semanage login -m -a staff_u root
You might need to log out and back in now as sysadm_t and make sure there are no unconfined_u/unconfined_t processes running. Also make sure that you do not have any entries in /etc/sudoers for unconfined_t or files left over in /tmp or /var/db/sudo.
# semanage user -d unconfined_u
# semode -d unconfineduser
But you could not get rid of permissive domains, since the permissive flag was in individual policy modules. In F16 we re-factored all of the permissive domain declarations into a new module called permissivedomains.pp. If you want to remove all permissive domains from your system
you can execute
semodule -d permissivedomains
# semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
This will give you a fully locked down machine.