On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd) wrote: > We are on RHEL6 and we need to remove the unconfined type from our targeted > Selinux policies so that no process runs in the unconfined domain. > > In order to achieve that we have removed the unconfined module .Is there > anything > Else we need to do. > > Thanks, > Anamitra You can also disable the unconfineduser module to make it even more strict but if you do make sure that no users are mapped to unconfined_u and relabel the file system because selinux will change contexts that have unconfined_u in them to unlabeled_t is unconfined_u no longer exists so in theory: 1. setenforce 0 2. change you logging mappings to exclude unconfined_u 3. purge /tmp and /var/tmp 4. semodule unconfineduser 5. fixfiles onboot && reboot I think that should take care of it Not though that even then there will be some unconfined domains left There is no way to get them out without manually editing and rebuilding the policy But if you disabled the unconfined and unconfineduser modules then you are running pretty strict > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
