-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/15/2013 12:19 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > Hi Dan, > > Thanks for the prompt response. > > The reason I brought this thread alive is because I see a lot of denials > after removing the unconfined type and doing a fixfiles && reboot and as > you indicated They are many resources that have acquired unlabeled_t and > hence we see a lot of denials. So based on this I would like to ask when > exactly should we have the reboot after executing fixfiles. Should the > reboot be immediate after we have removed the unconfined type or can it > wait for a later time. > > Thanks, Anamitra > > On 1/15/13 9:08 AM, "Daniel J Walsh" <dwalsh@xxxxxxxxxx> wrote: > > On 01/15/2013 11:48 AM, Anamitra Dutta Majumdar (anmajumd) wrote: >>>> Hi Dominick, >>>> >>>> Can you help me understand why step 5 is needed. >>>> >>>> Thanks, Anamitra >>>> >>>> On 10/30/12 1:03 PM, "Dominick Grift" <dominick.grift@xxxxxxxxx> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, 2012-10-30 at 19:45 +0000, Anamitra Dutta Majumdar >>>>> (anmajumd) wrote: >>>>>> We are on RHEL6 and we need to remove the unconfined type from >>>>>> our targeted Selinux policies so that no process runs in the >>>>>> unconfined domain. >>>>>> >>>>>> In order to achieve that we have removed the unconfined module >>>>>> .Is there anything Else we need to do. >>>>>> >>>>>> Thanks, Anamitra >>>>> >>>>> You can also disable the unconfineduser module to make it even >>>>> more strict >>>>> >>>>> but if you do make sure that no users are mapped to unconfined_u >>>>> and relabel the file system because selinux will change contexts >>>>> that have unconfined_u in them to unlabeled_t is unconfined_u no >>>>> longer exists >>>>> >>>>> so in theory: >>>>> >>>>> 1. setenforce 0 2. change you logging mappings to exclude >>>>> unconfined_u 3. purge /tmp and /var/tmp 4. semodule unconfineduser >>>>> 5. fixfiles onboot && reboot >>>>> >>>>> I think that should take care of it >>>>> >>>>> Not though that even then there will be some unconfined domains >>>>> left >>>>> >>>>> There is no way to get them out without manually editing and >>>>> rebuilding the policy >>>>> >>>>> But if you disabled the unconfined and unconfineduser modules then >>>>> you are running pretty strict >>>>> >>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>>> >>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> > If you have any files that are owned by unconfined_u they will become > unlabeled_t and not able to be used by confined domains, which is why the > relabel is required. > If you have any processes running on your system that are unconfined_t then they will become unlabled_t and start generating AVC's. Any confined apps that are trying to read unlabeled_u files will start to fail also. It is probably best to do this at Single User mode/permissive and then cleanup the disk. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlD1kD8ACgkQrlYvE4MpobMgpwCfdh76bmMo/JeP0sljxv0pGxyo UJwAn0kE9Dde3tmy/gQPinhyu/e+JO5P =PsFL -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
