danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Process Confinement in Fedora 18
danwalsh
I have not done this blog for a while. Fedora 12?

A good estimate of the number of different confined processes is to count the number of types with the domain attribute.

seinfo -adomain -x | tail -n +2 | wc -l
707


Note: I am removing the first line because it lists the attribute name.

Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain_type attribute.

seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
61

Unconfined Domains
sosreport_tbootloader_tdevicekit_power_tnova_api_t
nova_network_tdirsrvadmin_unconfined_script_tnova_objectstore_tcertmonger_unconfined_t
unconfined_cronjob_tabrt_handle_event_tsetfiles_mac_tinitrc_t
fsadm_tlvm_tmdadm_trpm_t
wine_tnova_vncproxy_tunconfined_dbusd_tnova_volume_t
nova_scheduler_tprelink_tanaconda_tboinc_project_t
nova_ajax_trpm_script_tsystem_cronjob_topenshift_initrc_t
samba_unconfined_net_tkdumpctl_tdevicekit_disk_tfirstboot_t
samba_unconfined_script_tnagios_eventhandler_plugin_thttpd_unconfined_script_tdepmod_t
insmod_tkernel_tlivecd_tpuppet_t
tomcat_tapmd_tclvmd_tcrond_t
inetd_tinit_tudev_tvirtd_t
nagios_unconfined_plugin_trgmanager_tdevicekit_tinetd_child_t
nova_direct_tsemanage_tsge_shepherd_txdm_unconfined_t
unconfined_tabrt_watch_log_tsge_job_txserver_t

If you disable the unconfined policy package, which I recommend.

This leaves only user domains unconfined, along with some domains that do not make sense to confine.  (anaconda, firstboot, kernel,rpm)

# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14


Unconfined Domains
rpm_tanaconda_trpm_script_topenshift_initrc_t
firstboot_tkernel_tlivecd_tunconfined_t


You can disable all unconfined domains by disabling unconfineduser module

# semodule -d unconfineduser

Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.

One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.

# seinfo --permissive -x | tail -n +3 | wc -l
31

Permissive Domains
phpfpm_tvirt_qemu_ga_tpkcsslotd_trealmd_t
mandb_trngd_tslpd_tglusterd_t
stapserver_tsensord_t


A couple of other interesting statistics.

Total number of file types.

seinfo -afile_type -x | tail -n +2  | wc -l
2375


In order to get the number of allow rules, you need to use sesearch

sesearch --allow | wc -l
81736

Dontaudit Rules

sesearch --dontaudit | wc -l
6532

You are viewing danwalsh