-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote: > Hi Dominick, > > Can you help me understand why step 5 is needed. > > Thanks, Anamitra > > On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote: > >> >> >> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd) >> wrote: >>> We are on RHEL6 and we need to remove the unconfined type from our >>> targeted Selinux policies so that no process runs in the unconfined >>> domain. >>> >>> In order to achieve that we have removed the unconfined module .Is >>> there anything Else we need to do. >>> >>> Thanks, Anamitra >> >> You can also disable the unconfineduser module to make it even more >> strict >> >> but if you do make sure that no users are mapped to unconfined_u and >> relabel the file system because selinux will change contexts that have >> unconfined_u in them to unlabeled_t is unconfined_u no longer exists >> >> so in theory: >> >> 1. setenforce 0 2. change you logging mappings to exclude unconfined_u 3. >> purge /tmp and /var/tmp 4. semodule unconfineduser 5. fixfiles onboot && >> reboot >> >> I think that should take care of it >> >> Not though that even then there will be some unconfined domains left >> >> There is no way to get them out without manually editing and rebuilding >> the policy >> >> But if you disabled the unconfined and unconfineduser modules then you >> are running pretty strict >> >>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > If you have any files that are owned by unconfined_u they will become unlabeled_t and not able to be used by confined domains, which is why the relabel is required. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD1jSkACgkQrlYvE4MpobM/lgCgpj/7c1J2ZDtoNazcScHiqm4g HQUAoIg2VCS8nqJsSa9E0gDowFH4UbeK =zUUf -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
