danwalsh (danwalsh) wrote,

Making a domain "unconfined"

In a couple of previous blogs I talked about permissive and unconfined domains.


Today we had a question about how to I disable_trans on pam_console_t in Red Hat Enterprise Linux 6.
If you have used RHEL5 or have read one of the blogs above you will realize in RHEL5 we had a lot of booleans DOMAIN_disable_trans.  The idea was to run these domains without SELinux protection.  We quickly figured out that this was a bad idea.  Other confined domains would start failing because the process they were supposed to communicate with would be running with a different label.  Or files created by the disabled_trans DOMAIN would now get created with the wrong labels.  

In RHEL6 we introduced permissive domains, so that you could run the entire system locked down but pick a few process domains to run in permissive mode.  The nice thing about this is we can figure out what the domain wants to do and improve the policy.

Miroslav Grepl came up with a third solution to the problem today.  Basically if a administrator wants to just allow a domain to do what it wants, he can add a policy module that turns the domain into an unconfined domain.  This will work on all Fedora releases and RHEL5 as well as RHEL6.  And is a much better solution then the disable_trans boolean.

If you wanted to run pam_console_t as an unconfined domain, you would first create a file call mypam.te.

# cat mypam.te
policy_module(mypam, 1.0)
           type pam_console_t;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypam.pp

Now pam_console_t will be an unconfined domain, but any confined domain that needs to interact with it will still work.  All of the file transition rules will still happen, so the system should stay labelled properly.  And no AVC messages will be generated about this domain.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened