Hi Dominick, Can you help me understand why step 5 is needed. Thanks, Anamitra On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote: > > >On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd) >wrote: >> We are on RHEL6 and we need to remove the unconfined type from our >>targeted >> Selinux policies so that no process runs in the unconfined domain. >> >> In order to achieve that we have removed the unconfined module .Is there >> anything >> Else we need to do. >> >> Thanks, >> Anamitra > >You can also disable the unconfineduser module to make it even more >strict > >but if you do make sure that no users are mapped to unconfined_u and >relabel the file system because selinux will change contexts that have >unconfined_u in them to unlabeled_t is unconfined_u no longer exists > >so in theory: > >1. setenforce 0 >2. change you logging mappings to exclude unconfined_u >3. purge /tmp and /var/tmp >4. semodule unconfineduser >5. fixfiles onboot && reboot > >I think that should take care of it > >Not though that even then there will be some unconfined domains left > >There is no way to get them out without manually editing and rebuilding >the policy > >But if you disabled the unconfined and unconfineduser modules then you >are running pretty strict > >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > >-- >selinux mailing list >selinux@xxxxxxxxxxxxxxxxxxxxxxx >https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
