danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
New Security Feature in Fedora 19 Part 1: New Confined/Permissive Process Domains
danwalsh
Each Fedora we release a bunch of new domains that will run in permissive mode for the release.  When the next release is released, the permissive domains are made enforcing.

In my blog,10 things you probably did not know about SELinux.. #4, I describe how you can interact with permissive domains.

In Fedora 18, we added 8 new permissive domains, all of  which are now enforcing in Fedora 19.

Fedora 18 Permissive Domains/ Now Confined in Fedora 19
  pkcsslotd_t (daemon manages PKCS#11 objects between PKCS#11-enabled applications)
   slpd_t  (Server Location Protocol Daemon)
   sensord_t (Sensor information logging daemon)
   mandb_t  (Cron job used to create /var/cache/man content)
   glusterd_t (policy for glusterd service)
   stapserver_t (Instrumentation System Server) Note: This was back ported to Fedora 17.
   realmd_t (dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA)
   phpfpm_t (FastCGI Process Manager)


Fedora 19 Permissive Domains

  systemd_localed_t
       systemd-localed is a system service that may be used as mechanism to
       change the system locale settings, as well as the console key mapping
       and default X11 key mapping.  systemd-localed is automatically
       activated on request and terminates itself when it is unused.

  systemd_hostnamed_t
       systemd-hostnamed is a system service that may be used as mechanism to
       change the system hostname.  systemd-hostnamed is automatically
       activated on request and terminates itself when it is unused.

  systemd_sysctl_t
       systemd-sysctl.service is an early-boot service that configures
       sysctl(8) kernel parameters.

  httpd_mythtv_script_t
       mythtv cgi scripts used for managing mythtv scheduling and content.

   openshift_cron_t
        OpenShift System Cron jobs run as openshift_cron_t, not gear cron jobs.

   swift_t
        OpenStack Object Storage (swift) aggregates commodity servers to work together
         in clusters for reliable, redundant, and large-scale storage of static objects.

Fedora 19 Modules Removed
shutdown.pp (Command no longer supported, functions suplanted by systemd)
consoletype.pp(Command should no longer be used, suplanted by systemd-logind)

Fedora 19 Modules Renamed or Consolodated
amavis.pp clamav.pp - These have been consolodated into a unified view of antivirus.pp, All aliased o antivirus_t.
    typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;

ctdbd.pp changed name upstream to ctdb.pp
isnsd.pp changed name upstream to isnd.pp
pacemaker.pp and corosync.pp rgmanager.pp aisexec.pp - These have been consolodated into a unified view of rhcs.pp, all aliased to the new type cluster_t.
     typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t }

Re: switching permissive domain to confined

danwalsh

2013-04-11 02:45 pm (UTC)

semodule -d permissivedomains

Will disable all permissive domains that we ship.

semanage permissive -d phpfpm_t will not work, since we do not ship the policy that way.

You are viewing danwalsh