Re: Removing unconfined type

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd)
wrote:
> We are on RHEL6 and we need to remove the unconfined type from our targeted
> Selinux policies so that no process runs in the unconfined domain.
> 
> In order to achieve that we have removed the unconfined module .Is there
> anything
> Else we need to do.
> 
> Thanks,
> Anamitra

You can also disable the unconfineduser module to make it even more
strict

but if you do make sure that no users are mapped to unconfined_u and
relabel the file system because selinux will change contexts that have
unconfined_u in them to unlabeled_t is unconfined_u no longer exists

so in theory:

1. setenforce 0
2. change you logging mappings to exclude unconfined_u
3. purge /tmp and /var/tmp
4. semodule unconfineduser
5. fixfiles onboot && reboot

I think that should take care of it

Not though that even then there will be some unconfined domains left

There is no way to get them out without manually editing and rebuilding
the policy

But if you disabled the unconfined and unconfineduser modules then you
are running  pretty strict 

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux