October 19th, 2011

Making a domain "unconfined"

In a couple of previous blogs I talked about permissive and unconfined domains.

http://danwalsh.livejournal.com/24537.html?thread=176857
http://danwalsh.livejournal.com/42394.html

Today we had a question about how to I disable_trans on pam_console_t in Red Hat Enterprise Linux 6.
If you have used RHEL5 or have read one of the blogs above you will realize in RHEL5 we had a lot of booleans DOMAIN_disable_trans.  The idea was to run these domains without SELinux protection.  We quickly figured out that this was a bad idea.  Other confined domains would start failing because the process they were supposed to communicate with would be running with a different label.  Or files created by the disabled_trans DOMAIN would now get created with the wrong labels.  

In RHEL6 we introduced permissive domains, so that you could run the entire system locked down but pick a few process domains to run in permissive mode.  The nice thing about this is we can figure out what the domain wants to do and improve the policy.

Miroslav Grepl came up with a third solution to the problem today.  Basically if a administrator wants to just allow a domain to do what it wants, he can add a policy module that turns the domain into an unconfined domain.  This will work on all Fedora releases and RHEL5 as well as RHEL6.  And is a much better solution then the disable_trans boolean.

If you wanted to run pam_console_t as an unconfined domain, you would first create a file call mypam.te.

# cat mypam.te
policy_module(mypam, 1.0)
gen_require(`
           type pam_console_t;
')
unconfined_domain(pam_console_t)
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypam.pp


Now pam_console_t will be an unconfined domain, but any confined domain that needs to interact with it will still work.  All of the file transition rules will still happen, so the system should stay labelled properly.  And no AVC messages will be generated about this domain.

How should you disable IPV6?

Blogging twice in the same day, a new record...

Lots of people are out there disabling IPV6, and when you do invariably you get a flood of AVC messages about different confined domains asking the kernel to load the kernel module net-pf-10.   

type=AVC msg=audit(10/18/11 23:40:10.233:978087) : avc:  denied  { module_request } for  pid=32265 comm=pickup kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Now I am not recommending that you enable or disable IPV6, but if you do want to disable it and run with SELinux turned on, please read the following:

Eric Paris reports

"I believe the networking kernel community recommends (and it will shut up these AVCs) that IPv6 be disabled by:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still loads the module but unhooks almost all of the calls into the module. (apparently the IPv6 module has become so ingrained in the kernel that a number of other things, like certain firewall modules, require it. I didn't design it, I'm just telling it how it is) "


We recommend that you do not disable the ipv6 module but add

net.ipv6.conf.all.disable_ipv6 = 1

to /etc/sysctl.conf

And the AVC messages should go away.

The setroubleshoot plugin in Fedora reflects this info.



UPDATED:

After Further investigation, I am informed that:

"adding ipv6.disable=1 to the kernel command line will be
the strongest way I can think of to load the module but eliminate 
all of its functionality.."