danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Making a domain "unconfined"
danwalsh
In a couple of previous blogs I talked about permissive and unconfined domains.

http://danwalsh.livejournal.com/24537.html?thread=176857
http://danwalsh.livejournal.com/42394.html

Today we had a question about how to I disable_trans on pam_console_t in Red Hat Enterprise Linux 6.
If you have used RHEL5 or have read one of the blogs above you will realize in RHEL5 we had a lot of booleans DOMAIN_disable_trans.  The idea was to run these domains without SELinux protection.  We quickly figured out that this was a bad idea.  Other confined domains would start failing because the process they were supposed to communicate with would be running with a different label.  Or files created by the disabled_trans DOMAIN would now get created with the wrong labels.  

In RHEL6 we introduced permissive domains, so that you could run the entire system locked down but pick a few process domains to run in permissive mode.  The nice thing about this is we can figure out what the domain wants to do and improve the policy.

Miroslav Grepl came up with a third solution to the problem today.  Basically if a administrator wants to just allow a domain to do what it wants, he can add a policy module that turns the domain into an unconfined domain.  This will work on all Fedora releases and RHEL5 as well as RHEL6.  And is a much better solution then the disable_trans boolean.

If you wanted to run pam_console_t as an unconfined domain, you would first create a file call mypam.te.

# cat mypam.te
policy_module(mypam, 1.0)
gen_require(`
           type pam_console_t;
')
unconfined_domain(pam_console_t)
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypam.pp


Now pam_console_t will be an unconfined domain, but any confined domain that needs to interact with it will still work.  All of the file transition rules will still happen, so the system should stay labelled properly.  And no AVC messages will be generated about this domain.


Small point, but I think it should be gen_require not gen_requires
(he said after cutting and pasting this snippet!)


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh