Hello list, For one of my projects, I am trying to learn the internals of SELinux. To start with, I am trying to build a minimalistic system where each domain is confined in its own domain (With Fedora's targeted policy as a base). One of my aims is to remove the unconfined domain totally. It would be wishful to assume that one would never need the unconfined domain. So, I was hoping one could create a new Linux user (say, God) which maps to SELinux unconfined user. One can sudo to this user, but ONLY WITH A PROOF OF TTY (physical presence). Now, I understand all the other parts except the last part. How do I ask SELinux to check for a tty? I did google and stumbled upon Daniel Walsh's blog [1]. It says in one of the paragraphs: "SELinux can be configured to not allow unconfined logins via OpenSSH or Grapical User Interface. This means that users that have access to the unconfineduser domain can only login using this environment on the TTY or access the unconfined user space via the sudo command or SU with newrole command." This post seems to imply that an SELinux change can affect that as against an OpenSSH configuration change that explicitly disallows root login. That is hopeful. The post also goes on to give an example of how it might be done: sudo visudo (john ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r ALL) So, if someone knows "john"'s password, they can switch to the unconfined domain. But, how to add an additional constraint that also says that physical presence is necessary to grant this access? Thanks in advance, Jitesh [1] http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-eight-unconfined.html -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
