April 27th, 2009

Removing unconfined domains in Fedora 11

During Fedora 10 development (Fedora 9?) we combined strict and targeted policy together.  The unconfined.pp policy package is now optional, and removing it gives you the equivalent of strict policy. 

# semodule -r unconfined

In targeted policy, service domains like init_t, initrc_t, and xinetd_t run as an unconfined domains by default.  We do this in order to allow Fedora administrators to run server applications which do not have policies defined defined for them.  If we confined these domains, someone would need to write policy for every service that you run on your machine.

I do not like this solution, since removing the unconfined.pp  policy package also removes the unconfined_t user.  I like the idea of running as few unconfined domains as possible on my machine, but I still want the unconfined_t administrator.  Strict/MLS policy has had the sysadm_t administrator, which I call the drunken unconfined_t.  In my opinion, sysadm_t adds no real security advantages over unconfined_t.  sysadm_t triggers seemingly random denials, and granting these privs moves sysadm_t closer to being an unconfined domain.    It just generates AVC's without providing any security benefit.

I wanted a way to turn off the unconfined domain for all services but still allow me to use the  unconfined_t administrative user.   In F11  I moved the definition of the unconfined_t user to a separate unconfineduser.pp package.   Now you can remove the unconfined.pp package and still use the unconfined_t user.

In Fedora 11 the only unconfined domains on a  system without the unconfined.pp package installed are:
  • kernel_t                      
    • No real reason to confine the kernel since this would only cause problems and add no real security.
  • rpm_t, rpm_script_t
    • No one has figured out a good way to separate trusted content from untrusted, and then tell me how rpm should run differently, when it has untrusted content
  • unconfined_t
F11 has some permissive domains, but they will generate lots of AVCs  if they are compromised or violate policies.

You can remove the unconfined_t user by removing the  unconfineduser.pp package

# semodule -r unconfineduser

Try it out.