Re: Removing unconfined type

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Dominick,
> 
> Can you help me understand why step 5 is needed.
> 
> Thanks, Anamitra
> 
> On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote:
> 
>> 
>> 
>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd) 
>> wrote:
>>> We are on RHEL6 and we need to remove the unconfined type from our 
>>> targeted Selinux policies so that no process runs in the unconfined
>>> domain.
>>> 
>>> In order to achieve that we have removed the unconfined module .Is
>>> there anything Else we need to do.
>>> 
>>> Thanks, Anamitra
>> 
>> You can also disable the unconfineduser module to make it even more 
>> strict
>> 
>> but if you do make sure that no users are mapped to unconfined_u and 
>> relabel the file system because selinux will change contexts that have 
>> unconfined_u in them to unlabeled_t is unconfined_u no longer exists
>> 
>> so in theory:
>> 
>> 1. setenforce 0 2. change you logging mappings to exclude unconfined_u 3.
>> purge /tmp and /var/tmp 4. semodule unconfineduser 5. fixfiles onboot &&
>> reboot
>> 
>> I think that should take care of it
>> 
>> Not though that even then there will be some unconfined domains left
>> 
>> There is no way to get them out without manually editing and rebuilding 
>> the policy
>> 
>> But if you disabled the unconfined and unconfineduser modules then you 
>> are running  pretty strict
>> 
>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>> 
>> 
>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
If you have any files that are owned by unconfined_u they will become
unlabeled_t and not able to be used by confined domains, which is why the
relabel is required.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD1jSkACgkQrlYvE4MpobM/lgCgpj/7c1J2ZDtoNazcScHiqm4g
HQUAoIg2VCS8nqJsSa9E0gDowFH4UbeK
=zUUf
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux