Hi Dan, Thanks for the prompt response. The reason I brought this thread alive is because I see a lot of denials after removing the unconfined type and doing a fixfiles && reboot and as you indicated They are many resources that have acquired unlabeled_t and hence we see a lot of denials. So based on this I would like to ask when exactly should we have the reboot after executing fixfiles. Should the reboot be immediate after we have removed the unconfined type or can it wait for a later time. Thanks, Anamitra On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote: >> Hi Dominick, >> >> Can you help me understand why step 5 is needed. >> >> Thanks, Anamitra >> >> On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> wrote: >> >>> >>> >>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar (anmajumd) >>> wrote: >>>> We are on RHEL6 and we need to remove the unconfined type from our >>>> targeted Selinux policies so that no process runs in the unconfined >>>> domain. >>>> >>>> In order to achieve that we have removed the unconfined module .Is >>>> there anything Else we need to do. >>>> >>>> Thanks, Anamitra >>> >>> You can also disable the unconfineduser module to make it even more >>> strict >>> >>> but if you do make sure that no users are mapped to unconfined_u and >>> relabel the file system because selinux will change contexts that have >>> unconfined_u in them to unlabeled_t is unconfined_u no longer exists >>> >>> so in theory: >>> >>> 1. setenforce 0 2. change you logging mappings to exclude unconfined_u >>>3. >>> purge /tmp and /var/tmp 4. semodule unconfineduser 5. fixfiles onboot >>>&& >>> reboot >>> >>> I think that should take care of it >>> >>> Not though that even then there will be some unconfined domains left >>> >>> There is no way to get them out without manually editing and >>>rebuilding >>> the policy >>> >>> But if you disabled the unconfined and unconfineduser modules then you >>> are running pretty strict >>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >If you have any files that are owned by unconfined_u they will become >unlabeled_t and not able to be used by confined domains, which is why the >relabel is required. >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.13 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >iEYEARECAAYFAlD1jSkACgkQrlYvE4MpobM/lgCgpj/7c1J2ZDtoNazcScHiqm4g >HQUAoIg2VCS8nqJsSa9E0gDowFH4UbeK >=zUUf >-----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
