On Mon, Oct 25, 2010 at 02:45:54PM +0200, Roberto Sassu wrote: > Hi all > > i'm using the selinux policy shipped with Fedora 13 and UBAC turned on. > I removed the unconfined package and i noted the unconfined_t domain with > unconfined_u user is unable to access a file with another selinux user. > I tried to build a custom module which contains the line: > > ubac_process_exempt(unconfined_t) like it says this only exempts the callers access to processes in the sysadm module this is added: ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) That should pretty much exempt the caller. Note though that ubac has issues, i am not sure how much issues in fedora but in normal refpolicy the *_admins do not work because you want to start services as system_u else unpriv users wont be ableto access resources. There is no way to change to system_u unless i guess you use runcon. That brings us to the second issue that is that you probably want to build policy with sysadm_direct_initrc option enabled. That way to can for example run rpm /yum in the rpm_t domain with system_u. Else it will install files with sysadm_u id and then ubac users cannot access it. Those two issues were enough reason for me to turn it of. (especially not being able to use the *_admins. > > but this does not solve the issue. How do i configure the policy to allow some > domains to circumvent the UBAC enforcement? > Thanks in advance for replies. > > Roberto Sassu > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgporJaR78PND.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
