Previous Entry Share Next Entry
Fedora 16 New SELinux Feature part III - permissivedomains module
As has been stated in previous blogs we have three types of unconfined processes on Fedora. 
  1. We have unconfined_domain() system processes.  initrc_t, init_t, kernel_t, ...
  2. We have unconfined_domain() user processes. unconfined_t,
  3. We have permissivedomains
Up until now you can remove unoconfined system processes by disabling the unconfined.pp module.

semodule -d unconfined

You can disable the unconfined users by removing unconfined user mappings and then disabling unconfineduser.pp

# semanage login -m -a staff_u __default__
# semanage login -m -a staff_u root
You might need to log out and back in now as sysadm_t and make sure there are no unconfined_u/unconfined_t processes running. Also make sure that you do not have any entries in /etc/sudoers for unconfined_t or files left over in /tmp or /var/db/sudo.
# semanage user -d unconfined_u
# semode -d unconfineduser

But you could not get rid of permissive domains, since the permissive flag was in individual policy modules.  In F16 we re-factored all of the permissive domain declarations into a new module called permissivedomains.pp.  If you want to remove all permissive domains from your system
you can execute

semodule -d permissivedomains

# semanage permissive -l
Builtin Permissive Types

Customized Permissive Types

This will give you a fully locked down machine.

  • 1

On an MLS machine you would not want to have an unconfined domain

You would want to control all domains to as close to least privilege as possible.

But in general I think it is a good idea to run with the unconfined.pp and permissivedomains.pp file disable.

I tend to leave the unconfineduser domain, although I have setup my own user to login as staff_t and become sysadm_t when I am root.

  • 1

Log in

No account? Create an account