Previous Entry Share Next Entry
Fedora 16 New SELinux Feature part III - permissivedomains module
As has been stated in previous blogs we have three types of unconfined processes on Fedora. 
  1. We have unconfined_domain() system processes.  initrc_t, init_t, kernel_t, ...
  2. We have unconfined_domain() user processes. unconfined_t,
  3. We have permissivedomains
Up until now you can remove unoconfined system processes by disabling the unconfined.pp module.

semodule -d unconfined

You can disable the unconfined users by removing unconfined user mappings and then disabling unconfineduser.pp

# semanage login -m -a staff_u __default__
# semanage login -m -a staff_u root
You might need to log out and back in now as sysadm_t and make sure there are no unconfined_u/unconfined_t processes running. Also make sure that you do not have any entries in /etc/sudoers for unconfined_t or files left over in /tmp or /var/db/sudo.
# semanage user -d unconfined_u
# semode -d unconfineduser

But you could not get rid of permissive domains, since the permissive flag was in individual policy modules.  In F16 we re-factored all of the permissive domain declarations into a new module called permissivedomains.pp.  If you want to remove all permissive domains from your system
you can execute

semodule -d permissivedomains

# semanage permissive -l
Builtin Permissive Types

Customized Permissive Types

This will give you a fully locked down machine.

  • 1
It is a good to have this possibility.
I have a question. Is it required by any policy/law/standard to lock the system in this way?

On an MLS machine you would not want to have an unconfined domain

You would want to control all domains to as close to least privilege as possible.

But in general I think it is a good idea to run with the unconfined.pp and permissivedomains.pp file disable.

I tend to leave the unconfineduser domain, although I have setup my own user to login as staff_t and become sysadm_t when I am root.

  • 1

Log in